Security Alerts & News
by Tymoteusz A. Góral

#1234 Cyberattack claims multiple airports in Vietnam
Hackers on Friday successfully pulled-off cyberattacks against Vietnam’s two largest airports and the nation’s flag carrier, Vietnam Airlines.

The attacks — attributed to a Chinese hacking group known as 1937CN — ultimately failed to cause any significant security issues or air traffic control problems, Vice Minister of Transport Nguyen Nhat told local media.
#1233 Hacking Imgur for fun and profit
I’ve been meaning to write about this for a while. It all started back in July 2015 when I decided to look for vulnerabilities in Imgur, an incredibly popular image sharing platform. The reason I chose Imgur was because I frequently visited the site and I was already familiar with how the site worked. After a short amount of time searching I managed to find some common vulnerabilities; XSS, clickjacking, and a whole load of CSRF issues.

Reporting the issues proved to be a little difficult. The only way I could see to contact Imgur was through their support system which wasn’t suitable for reporting security issues. Eventually, August 1st, I wrote up a report detailing the issues, shipped an email off to, and waited. But not for long.
#1232 Android Stagefright bug required 115 patches, millions still at risk
One year after the Stagefright Android flaw was first reported, its effects are widespread. More than 100 related flaws have emerged and hundreds of millions of users remain at risk.

On July 27, 2015, news broke about Stagefright, a vulnerability in Android. A year later, it's clear that Stagefright has had a major impact on the mobile security world—more so than other vulnerabilities in recent memory.

The Stagefright flaw isn't just a single issue even though a year ago it wasn't entirely clear how much of an impact the vulnerability would have. Stagefright, a reference to the libstagefright media library in Android, was found by Joshua Drake, vice president of Platform Research and Exploitation at Zimperium, to be vulnerable to exploitation.
#1231 Cisco 2016 Midyear Cybersecurity Report (PDF)
It’s time again for our Midyear Cybersecurity Report (MCR), providing updates from Cisco security researchers on the state of security from the first half of the year. The 2016 MCR supplements the 2016 Cisco Annual Security Report published in January with mid-year analysis and insights on the evolving trends and threats across the industry. It also offers valuable guidance on what you can do to be more secure. Time is the resounding theme throughout the 2016 MCR and a pivotal factor in how we protect our businesses, our assets, and ourselves.

This report’s Cybercrime Spotlight is on ransomware, as this specific threat is becoming more widespread and potent. Our adversaries focus more than ever on generating revenue, and now deploy ransomware to target enterprise users in addition to individuals. These direct attacks are becoming increasingly efficient and lucrative, generating huge profits. Our security researchers calculate that ransomware nets our adversaries nearly $34 million annually. That’s a significant industry, and it’s time we improve our odds to handle this type of attack.
#1230 Xen patches critical guest privilege escalation bug
A freshly uncovered bug in the Xen virtualisation hypervisor could potentially allow guests to escalate their privileges until they have full control of the hosts they're running on.

The Xen hypervisor is used by cloud giants Amazon Web Services, IBM and Rackspace.

Inadequate security checks of how virtual machines access memory means a malicous, paravirtualised guest administrator can raise their system privileges to that of the host on unpatched installations, Xen said.

"The paravirtualisation pagetable code has fast-paths for making updates to pre-existing
pagetable entries, to skip expensive re-validation in safe cases (eg. clearing only Access/Dirty bits)," Xen's security team said in its advisory for XSA 182.
#1229 WhatsApp isn't fully deleting its 'deleted' chats
WhatsApp retains and stores chat logs even after those chats have been deleted, according to a post today by iOS researcher Jonathan Zdziarski. Examining disk images taken from the most recent version of the app, Zdziarski found that the software retains and stores a forensic trace of the chat logs even after the chats have been deleted, creating a potential treasure trove of information for anyone with physical access to the device. The same data could also be recoverable through any remote backup systems in place.

In most cases, the data is marked as deleted by the app itself — but because it has not been overwritten, it is still recoverable through forensic tools. Zdziarski attributed the problem to the SQLite library used in coding the app, which does not overwrite by default.
#1228 New trojan SpyNote installs backdoor on Android devices
A new Android Trojan called SpyNote has been identified by researchers who warn that attacks are forthcoming.

The Trojan, found by Palo Alto Networks’ Unit 42 team, has not been spotted in any active campaigns. But Unit 42 believes because the software is now widely available on the Dark Web, that it will soon be used in a wave of upcoming attacks.

Unit 42 discovered the Trojan while monitoring malware discussion forums. Researchers say that’s where they found a malware builder tool specifically designed to be used to create multiple versions of SpyNote Trojan.
#1227 Cleaning up after cyber attacks is good, but deterring attackers is better
The Presidential Policy Directive on United States Cyber Incident Coordination makes it clear for the first time that the FBI and the National Cyber Investigative Joint Task Force (NCIJTF) would take the lead in 'threat response activities'.

The Department of Homeland Security will be in charge of 'asset response activities,' which includes providing technical assistance to the affected entities to protect their assets and mitigate the impact of the attack, while the Office of the Director of National Intelligence is the lead agency 'for intelligence support'.
#1226 KeySniffer – here’s what you need to know
A few months ago, US startup Bastille Networks announced research that showed how some wireless computer mice could be hacked by intercepting and manipulating the signals between the devices and your computer.

Now, Bastille has focused its efforts on wireless keyboards, and found that the situation was, well, worse.

Last time, they dubbed their attack Mousejacking. They’re branding this one KeySniffer.

Similar to Bastille’s previous Bug With An Impressive Name (or BWAINs, as we call them), keyboards that have the KeySniffer vulnerability transmit information unencrypted.

This means all keystrokes sent are in plaintext and can be easily read and recorded by anyone with the right eavesdropping hardware.
#1225 If you get caught using a VPN in the UAE, you'll face fines of up to $545,000
The President of the United Arab Emirates has issued a series of new federal laws relating to IT crimes, including a regulation that forbids anyone in the UAE from making use of virtual private networks to secure their web traffic from prying eyes.

The new law states that anyone who uses a VPN or proxy server can be imprisoned and fined between $136,000-$545,000 if they are found to use VPNs fraudulently.

Previously, the law was restricted to prosecuting people who used VPNs as part of an internet crime, but UK-based VPN and privacy advocate Private Internet Access says that the law has now changed to enable police in the UAE to go after anyone who uses VPNs to access blocked services, which is considered to be fraudulent use of an IP address.
#1224 Protecting Android with more Linux kernel defenses
Android relies heavily on the Linux kernel for enforcement of its security model. To better protect the kernel, we’ve enabled a number of mechanisms within Android. At a high level these protections are grouped into two categories—memory protections and attack surface reduction.
#1223 Parental control software for Windows put to the test
The Internet offers many suitable playgrounds for children, but surely many more unsuitable ones. But how can the activities of children on the Web be controlled without parents constantly standing there next to them? One solution can be parental control software. The experts of AV-TEST have examined whether the software packages work reliably and have certified two products.
#1222 Telegram app vuln recorded anything macOS users pasted—even in secret
A bug in the Telegram Messager app logged anything its users pasted into their chats in its syslog on macOS, even if they had opted for the end-to-end encrypted "secret" mode.

The vulnerability was spotted earlier this month by Russian infosec operative Kirill Firsov, who directly and publicly challenged Telegram's flamboyant founder and chief Pavel Durov about the app's latest security flaw.
#1221 LastPass: design flaw in communication between privileged and unprivileged components
I'm looking at LastPass 4.1.20a on Windows, and can see some problems with the
design. It looks like the addon works by injecting elements and event handlers
into the page.

<input> boxes are modified with some css, and a click event handler is added
that instructs the addon to create a privileged iframe. A page can click the
LastPass icon programatically with javascript by creating a MouseEvent() with
the right x:y coordinates. Normally a page would not be permitted to navigate
to a resource:// url, but this just asks the add-on to do it.
#1220 LastPass unpatched zero-day vulnerability gives hackers access to your account
A dangerous, previously unknown security vulnerability has been discovered in LastPass which permits attackers to remotely compromise user accounts.

LastPass is a password vault which pulls user passwords from a secure area and auto fills credentials for you. The system uses AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to protect the valuable data stored within, but according to Google Project Zero hacker Tavis Ormandy, the software contains a "bunch of critical problems" which could put user accounts at risk.

On Tuesday, the white hat researcher revealed on Twitter that he was exploring LastPass security, claiming that it only took a "quick look" to find "obvious" security problems.
#1219 Economics behind ransomware as a aervice: a look at Stampado’s pricing model
Ransomware have become such a big income earner for cybercriminals that every bad guy wants a piece of the pie. The result? More tech-savvy criminals are offering their services to newbies and cybercriminal wanna-bes in the form of do-it-yourself (DIY) kits—ransomware as a service (RaaS).

About two weeks ago, a new breed of ransomware dubbed “Stampado” (detected by Trend Micro as RANSOM_STAMPADO.A) surfaced. Security researchers did not initially find samples of the threat even if it made headlines for being cheap (despite being “easy to manage,” according to its creators) for such a package—only US$39 for a “lifetime license.”
#1218 Bypassing UAC on Windows 10 using Disk Cleanup
Matt Graeber (@mattifestation) and I recently dug into Windows 10, and discovered a rather interesting method of bypassing User Account Control (if you aren’t familiar with UAC you can read more about it here). Currently, there are a couple of public UAC bypass techniques, most of which require a privileged file copy using the IFileOperation COM object or WUSA extraction to take advantage of a DLL hijack. You can dig into some of the public bypasses here (by @hfiref0x). The technique covered in this post differs from the other methods and provides a useful alternative as it does not rely on a privileged file copy or any code injection.

A common technique used to investigate loading behavior on Windows is to use SysInternals Process Monitor to analyze how a process behaves when executed. After investigating some default Scheduled Tasks that exist on Windows 10 and their corresponding actions, we found that a scheduled task named “SilentCleanup” is configured on stock Windows 10 installations to be launchable by unprivileged users but to run with elevated/high integrity privileges. To find this, we simply went through each task and inspected the security options for “Run with Highest Privileges” to be checked with a non-elevated User Account (such as ‘Users’).
#1217 Motorola confirms that it will not commit to monthly security patches
Motorola has clarified the update situation of the Moto Z and Moto G4, calling Android's monthly security updates "difficult" and deciding not to commit to them.

When we recently reviewed the Moto Z, we said that the device would not be getting Android's monthly security updates. Motorola doesn't make this information officially available anywhere, but when we asked Motorola reps at the Moto Z launch event if the company would commit to the monthly updates, we were flatly told "no."

We passed this along in our review, where we called the policy "unacceptable" and "insecure." Motorola later muddied the waters a bit by releasing a statement saying "Moto Z and Moto Z Force will be supported with patches from Android Security Bulletins. They will receive an update shortly after launch with additional patches." Sure, the Android security patches will reach the devices eventually, but this statement didn't assure that they would arrive on time as monthly security updates.
#1216 Kimpton hotels investigating payment card fraud
Kimpton Hotels & Restaurants, a nationwide chain of 62 boutique hotels, is investigating a string of unauthorized charges on payment cards used at a number of its locations.

It’s unknown how many cards are involved, nor at which locations.

“Kimpton Hotels & Restaurants takes the protection of payment card data very seriously. Kimpton was recently made aware of a report of unauthorized charges occurring on cards that were previously used legitimately at Kimpton properties. As soon as we learned of this, we immediately launched an investigation and engaged a leading security firm to provide us with support.

We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements. If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”
#1215 Keys to Chimera crypto ransomware allegedly leaked by rival crime gang
Sometimes, the fierce competition in the booming crypto ransomware market works in the favor of the victims whose priceless data is held hostage. That appears to be what played out on Tuesday when the criminals behind a package known as "Mischa" published what's purported to be the secret crypto keys for the rival Chimera malware.

"Earlier this year we got access to big parts of their deveolpment [sic] system, and included parts of Chimera in our project," the Mischa developers wrote in a message posted to Pastebin. "Additionally we now release about 3500 decryption keys from Chimera."

Translation: As if breaking in to the Chimera developers' network and stealing their code wasn't enough of an affront, the competing Mischa gang now claims to have leaked the keys that defang Chimera.
#1214 New attack that cripples HTTPS crypto works on Mac, Windows and Linux
A key guarantee provided by HTTPS encryption is that the addresses of visited websites aren't visible to attackers who may be monitoring an end user's network traffic. Now, researchers have devised an attack that breaks this protection.

The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD—short for Web Proxy Autodisovery—in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week's Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.

"People rely on HTTPS to secure their communication even when the LAN/Wi-Fi cannot be trusted (think public Wi-Fi/hotels/cafes/airports/restaurants, or compromised LAN in an organization)," Itzik Kotler, cofounder and CTO of security firm SafeBreach and one of the scheduled speakers, wrote in an e-mail. "We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks."
#1213 KeySniffer vulnerability opens wireless keyboards to snooping
Wireless keyboards made by eight different companies suffer from a vulnerability that can allow attackers to eavesdrop on keystrokes from up to 250 feet away, researchers warned Tuesday.

If exploited, the vulnerability, dubbed KeySniffer, could let an attacker glean passwords, credit card numbers, security questions and answers – essentially anything typed on a keyboard, in clear text.

Keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec are affected, according to Marc Newlin, a researcher with Bastille Networks that discovered the vulnerability.
#1212 Unpatched smart lighting flaws pose IoT risk to businesses
A host of web-based vulnerabilities in Orsam Lightify smart lighting products remain unpatched, despite private notification to the vendor in late May and CVEs assigned to the issues in June by CERT/CC.

Researchers at Rapid7 today publicly disclosed some of the details on each of the nine vulnerabilities with temporary mitigation advice users can deploy until a fix is available.

Orsam Lightify products are indoor and outdoor lighting products that can be managed over the web or through a mobile application. The products are used commercially and in homes, and the vulnerabilities are just the latest to affect connected devices.

Researchers Deral Highland, principal security consultant at Rapid7, said that a weak default WPA2 pre-shared key on the Pro solution (CVE-2016-5056) is the most critical of the nine flaws. The keys use only eight characters from a limited set of numerals and letters, making it possible to capture a WPA2 authentication handshake and crack the PSK offline in fewer than six hours.
#1211 Amazon Silk browser ignored SSL searches, failing to protect your privacy
Amazon's Silk internet browser contained a serious bug which not only ignored SSL security standards in Google searches but prevented redirection to the secure version of the search engine.

The Google Chrome-based Silk browser, loaded with Amazon Kindle tablets, was set up without Secure Sockets Layer (SSL) technology -- which encrypts communication between servers and web browsers -- and also prevented automatic redirections to Google's SSL version of the tech giant's search engine.

This security problem left user connections unencrypted and potentially open to man-in-the-middle (MitM) attacks and snooping.
#1210 Microsoft Authenticator – coming August 15th! Supports AzureAD & Microsoft acct!
"On August 15th, we will start releasing the new “Microsoft Authenticator” apps in all mobile app stores. This new app combines the best parts of our previous authenticator apps into a new app which works with both Microsoft accounts and Azure AD accounts

As many of you know, we’ve had separate authenticator apps for Microsoft account and Azure AD for quite a while – the Azure Authenticator for enterprise customers and the Microsoft account app for consumers. With the new Microsoft Authenticator, we’ve combined the best of both into a single app that supports enterprise and consumer scenarios."
#1209 In-the-wild Ransomware Protection Comparative Analysis 2016 Q3 (PDF)
“Ransomware is a Cryptovirology attack carried out using covertly installed malware that encrypts the victim's files and then requests a ransom payment in return for the ecryption key that is needed to recover the encrypted files. Thus, ransomware is an access - denial type of attack that prevents legitima te users from accessing files since it is intractable to decrypt the files without the decryption key”.

Before ransomware was trendy among cyber-criminals, a malware infection was not a high priority for most users. Financial malware could be defeated via fraud detection, spammed Facebook walls were cleaned, and life could continue uninterrupted. Sometimes, the presence of the malware was not even noticed for months. But this has changed since ransomware became prevalent. The use of crypto-currencies like Bitcoin made it easy to cash out quickly. And because the malware has to only run for some minutes on the victim’s computer, most reactive protections failed quickly, and left the users unprotected against these cyber criminals. Multiple generic ransomware protection emerged to solve this issue.

Zemana Ltd. commissioned MRG Effitas to conduct a comparative analys is of its Zemana AntiMalware product, and other prevalent generic ransomware tools.
#1208 Windows UAC bypass leaves systems open to malicious DLLs
Researchers have crafted a stealthy new way of bypassing Windows User Account Controls (UAC) that opens the door to attacks on targeted systems. According researchers, the bypass technique can fly under the radar of security solutions that monitor for this type of circumvention.

The UAC bypass technique works on Windows 10 systems, and as opposed a number of other UAC bypasses techniques, this one does not raise red flags because it doesn’t rely on a privileged file copy or code injection, according to Matt Graeber and Matt Nelson who found the workaround and outlined it in a technical breakdown on the Enigmaox3 website.
#1207 O2 customer data sold on dark net
O2 customer data is being sold by criminals on the dark net, the Victoria Derbyshire programme has learned.

The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts.

When the login details matched, the hackers could access O2 customer data in a process known as "credential stuffing".

O2 says it has reported the case to law enforcement, and is helping inquiries.

It is highly likely that this technique will have been used to log onto other companies' accounts too.
#1206 Facebook admits blocking WikiLeaks’ DNC email links, but won’t say why
Facebook has acknowledged it blocked links to WikiLeaks’ DNC email dump, though (again) hasn’t explained why.

On Twitter, WikiLeaks noted that there was a workaround for posting links.
#1205 New evidence suggests DNC hackers penetrated deeper than previously thought
The suspected hacking of a Democratic National Committee consultant's personal Yahoo Mail account provides new evidence that state-sponsored attackers penetrated deeper than previously thought into the private communications of the political machine attempting to defeat Republican nominee Donald Trump.

According to an article published Monday by Yahoo News, the suspicion was raised shortly after DNC consultant Alexandra Chalupa started preparing opposition research on Trump Campaign Chairman Paul Manafort. Upon logging in to her Yahoo Mail account, she received a pop-up notification warning that members of Yahoo's security team "strongly suspect that your account has been the target of state-sponsored actors." After Chalupa started digging into Manafort's political and business dealings in Ukraine and Russia, the warnings had become a "daily occurrence," Yahoo News reported, citing a May 3 e-mail sent to a DNC communications director.
#1204 NIST prepares to ban SMS-based two-factor authentication
The US National Institute for Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban of SMS-based Two-Factor Authentication (2FA).

According to the latest DAG draft version, NIST officials are discouraging companies from using SMS-based authentication, even saying that SMS-based 2FA might be considered insecure in future versions of the guideline. The exact paragraph in the NIST DAG draft is:

“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
#1203 Researchers release free decryption tools for PowerWare and Bart ransomware
Security researchers have released tools this week that could help users recover files encrypted by two relatively new ransomware threats: Bart and PowerWare.

PowerWare, also known as PoshCoder, was first spotted in March, when it was used in attacks against healthcare organizations. It stood out because it was implemented in Windows PowerShell, a scripting environment designed for automating system and application administration tasks.

Researchers from security firm Palo Alto Networks have recently found a new version of this threat that imitates a sophisticated and widespread ransomware program called Locky. It uses the extension .locky for encrypted files and also displays the same ransom note used by the real Locky ransomware.
#1202 Now you can hide your smart home on the Darknet
Here’s how it works: the Guardian Project turned a simple Raspberry Pi mini-computer into a smart hub running the open-source software called HomeAssistant software and acts as a so-called Tor hidden service, the same application of Tor that obscures the location of servers running dark web sites. The result, says Guardian Project director Nathan Freitas, is a far stealthier and more secure way to connect your smart home to the Internet, while still keeping it safe from potential digital attacks. “All we did was pull these pieces together to demonstrate a proof-of-concept for the role Tor can play in your home,” says Freitas, who’s also a fellow at Harvard’s Berkman Klein Center for Internet and Society. “It’s turning your Internet-of-things hub into a hidden service.”
#1201 EU to give free security audits to Apache HTTP server and Keepass
The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects.

The EC selected the two projects following a public survey that took place between June 17 and July 8 and that received 3,282 answers.

The survey and security audit are part of the EU-FOSSA (EU-Free and Open Source Software Auditing) project, a test pilot program that received funding of €1 million until the end of the year.

Other projects considered in the survey included MySQL, Git, ElasticSearch, FileZilla, WinSCP, OpenSSH, Notepasd++, Firefox, 7-Zip, VLC Media Player, Glibc, the Linux kernel, Apache Tomcat, BounchyCastle, OpenSSL, Drupal, VeraCrypt, Apache Commons, and the TYPO3 CMS.
#1200 GOP delegates suckered into connecting to insecure WiFi hotspots
A Wi-Fi hack experiment conducted at various locations at or near the Republican National Convention site in Cleveland, US, underlines how risky it can be to connect to public Wi-Fi without protection from a VPN.

The exercise, carried out by security researchers at Avast, an anti-virus firm, revealed that more than 1,000 delegates were careless when connecting to public Wi-Fi.

Attendees risked the possibility of being spied on and hacked by cybercriminals or perhaps even spies while they checked their emails, banked online, used chat and dating apps, and even while they accessed Pokemon Go.

Avast researchers set up fake Wi-Fi networks at various locations around the Quicken Loans Arena and at Cleveland Hopkins International Airport with fake network names (SSIDs) such as “Google Starbucks”, “Xfinitywifi”, “Attwifi”, “I vote Trump! free Internet” and “I vote Hillary! free Internet” that were either commonplace across the US or looked like they were set up for convention attendees.
#1199 Malicious computers caught snooping on Tor-anonymized Dark Web sites
The trust of the Tor anonymity network is in many cases only as strong as the individual volunteers whose computers form its building blocks. On Friday, researchers said they found at least 110 such machines actively snooping on Dark Web sites that use Tor to mask their operators' identities.

All of the 110 malicious relays were designated as hidden services directories, which store information that end users need to reach the ".onion" addresses that rely on Tor for anonymity. Over a 72-day period that started on February 12, computer scientists at Northeastern University tracked the rogue machines using honeypot .onion addresses they dubbed "honions." The honions operated like normal hidden services, but their addresses were kept confidential. By tracking the traffic sent to the honions, the researchers were able to identify directories that were behaving in a manner that's well outside of Tor rules.
#1198 Auto industry publishes best practices for cybersecurity
In-brief: An Automotive industry information sharing group has published Best Practices” document, giving individual automakers guidance on improving the cybersecurity of their vehicles.

The Automotive industry’s main group for coordinating policy on information security and “cyber” threats has published a “Best Practices” document, giving individual automakers guidance on implementing cybersecurity in their vehicles for the first time.

The Automotive Information Sharing and Analysis Center (ISAC) released the Automotive Cybersecurity Best Practices document on July 21st, saying the guidelines are for auto manufacturers as well as their suppliers.

The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties.

Taken together, they move the auto industry closer to standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up and to take a sober look at risks to connected vehicles as part of the design process.
#1197 Ransomware gang claims Fortune 500 company hired them to hack the competition
In an exchange with a security researcher pretending to be a victim, one ransomware agent claimed they were working for a Fortune 500 company.

“We are hired by [a] corporation to cyber disrupt day-to-day business of their competition,” the customer support agent of a ransomware known as Jigsaw said, according to a new report by security firm F-Secure.

“The purpose was just to lock files to delay a corporation’s production time to allow our clients to introduce a similar product into the market first.”
#1196 PayPal fixes CSRF vulnerability in
PayPal recently fixed a vulnerability on its site that could have let an attacker change a user’s profile without permission.

The issue stemmed from a cross-site request forgery (CSRF) vulnerability that existed in, a site the company launched last year to let its users request money; similar to what Venmo, another property it owns, does.

Florian Courtial, a French software engineer who hunts for bugs in his spare time discovered the vulnerability and discussed it on his personal blog earlier this week. Courtial previously disclosed bugs in Slack and the project management app Trello.

Courtial found the bug while rooting around both and for CSRF vulnerabilities. Using Burp Suite, he discovered he could remove or edit the CSRF token and in turn update a user’s PayPal profile picture. The HTML was missing a few headers, like X-Frame-Options: DENY, something that allowed him to submit the form without redirection.
#1195 PowerWare ransomware masquerades as Locky to intimidate victims
A new variant of the PowerWare ransomware is stealing street creds from the Locky strain of ransomware in an attempt to spoof the malware family. A new sample of PowerWare found by Palo Alto Networks’ Unit 42 reveals the ransomware’s quickly evolving tactics.

According to researchers, a new version of the ransomware is using Locky’s “.locky” file extension to encrypt files and make it appear the files have been infected with Locky. The ransomware has also adopted Locky’s ransom note and uses the same wording as Locky in the ransomware’s “help” instructions.
#1194 Flaws in Oracle file processing SDKs affect major third-party products
Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors, including Microsoft.

The vulnerabilities were found by researchers from Cisco's Talos team and are located in the Oracle Outside In Technology (OIT), a collection of software development kits (SDKs) that can be used to extract, normalize, scrub, convert and view some 600 unstructured file formats.

These SDKs, which are part of the Oracle Fusion Middleware, are licensed to other software developers who then use them in their own products. Such products include Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault.
#1193 Canadian man behind popular ‘Orcus RAT’
Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce as a purely legitimate enterprise. Here’s the story of how I learned the real-life identity of Canadian man who’s laboring under that same illusion as proprietor of one of the most popular and affordable tools for hacking into someone else’s computer.

Earlier this week I heard from Daniel Gallagher, a security professional who occasionally enjoys analyzing new malicious software samples found in the wild. Gallagher said he and members of @malwrhunterteam and @MalwareTechBlog recently got into a Twitter fight with the author of Orcus RAT, a tool they say was explicitly designed to help users remotely compromise and control computers that don’t belong to them.
#1192 Google fixes 48 bugs, sandbox escape, in Chrome
Google has patched a high-risk vulnerability in its Chrome browser that allows an attacker to escape the Chrome sandbox.

That vulnerability is one of 48 bugs fixed in version 52 of Chrome released Wednesday.

Four dozen of those flaws are rated as high risks and Google paid out more than $22,000 in rewards to researchers who reported vulnerabilities to the company. Payment on an additional 11 bugs found by bug bounty hunters is pending, Google said.
#1191 IoT insecurity: Pinpointing the problems
It’s a coin toss whether or not that Internet of Things device you depend on is secure. Those unacceptable 50/50 odds come from a survey by IOActive where technology professionals were asked about the security of connected devices from thermostats, security cameras to alarm systems.

Those numbers may be hard to swallow, but recent headlines concerning connected devices, sensors and controls – ranging from SCADA, IoT and M2M – suggests that what might seem like chicken-little opinions about IoT security may not be too far from the reality.

A study by HP’s security unit Fortify found that 70 percent of popular consumer IoT devices are easily hackable. When Kaspersky Lab examined industrial controls systems exposed to the Shodan search engine it found seven percent of 172,982 ICS components vulnerable to attack had “critical” issues.
#1190 Nearly six million fraud and cyber crimes last year, ONS says
Almost six million fraud and cyber crimes were committed last year in England and Wales, the Office for National Statistics has said.

It estimated there were two million computer misuse offences and 3.8 million fraud offences in the 12 months to the end of March - suggesting fraud is the most common type of crime.

Most related to bank account fraud.

It is the first time fraud questions have been added to the official Crime Survey for England and Wales.

The figures are separate from the ONS headline estimate that a total of 6.3 million crimes were perpetrated against adults in the year to March - a 6% fall in the number of crimes compared to the previous year.
#1189 Tinder safe dating spam uses safety to scam users out of money
In recent weeks, we have noticed spam activity on Tinder claiming to promote safety in online dating in messages to users. This is used as a lure to funnel affiliate money into the scammers’ pockets.

It’s the latest spam trend to hit the mobile dating app. Since 2013, we have published a few blogs detailing the rise of spam bots on the popular mobile dating application, Tinder. While Tinder has changed its service recently with the introduction of a premium offering, the app remains a popular destination for spammers.
#1188 Jackware: When connected cars meet ransomware
2016 is already being dubbed “The Year of Ransomware” and ransomware features prominently in my upcoming “Mid-Year Threat Review” webinar. In that webinar I will also be talking about the IoT (Internet of Things) and more specifically the IoIT (the Internet of Insecure Things); mainly because risks arising from the latter are on the rise. Don’t get me wrong, I’m not saying that the IoIT currently poses as big a threat as ransomware does. But part of my job is to look beyond the present – and I’m concerned that a future headline will read: “The Year of Jackware.”

I define jackware as malicious software that seeks to take control of a device, the primary purpose of which is not data processing or digital communications. A car would be such a device. A lot of cars today do perform a lot of data processing and communicating, but their primary purpose is to get you from A to B. So think of jackware as a specialized form of ransomware. With regular ransomware, such as Locky and CryptoLocker, the malicious code encrypts documents on your computer and demands a ransom to unlock them. The goal of jackware is to lock up a car or other device until you pay up.
#1187 Hidden 'backdoor' in Dell security software gives hackers full access
Security researchers are warning Dell security management software admins to patch their systems after finding six high-risk vulnerabilities.

One of the highest-rated "critical" flaws involves a hidden default account with an easily-guessable password in Dell's Sonicwall Global Management System (GMS), a widely-used software used to centrally monitor and manage an enterprise's array of networked security devices.

The vulnerability could allow an attacker "full control" of the software and all connected appliances, such as virtual private networking (VPN) appliances and firewalls.
#1186 CrypMIC ransomware wants to follow CryptXXX’s footsteps
They say imitation is the sincerest form of flattery. Take the case of CrypMIC—detected by Trend Micro as RANSOM_CRYPMIC—a new ransomware family that mimics CryptXXX in terms of entry point, ransom notes and payment site UIs. CrypMIC’s perpetrators are possibly looking for a quick buck owing to the recent success of CryptXXX.

CrypMIC and CryptXXX share many similarities; both are spread by the Neutrino Exploit Kit and use the same format for sub-versionID/botID (U[6digits] / UXXXXXX]) and export function name (MS1, MS2). Both threats also employed a custom protocol via TCP Port 443 to communicate with their command-and-control (C&C) servers.
#1185 Update now: Macs and iPhones have a Stagefright-style bug!
Stagefright was one of 2015’s most newsworthy BWAINs (Bugs with an Impressive Name): a security hole, or more accurately a cluster of holes, in Android’s libstagefright multimedia software component.

Multimedia objects such as images, video and audio are often stored in files with complex formats.

That, in turn, means lots of clever programming to read them in, decode them, decompress them into memory and prepare them for display.

And, as you probably know only too well, the more complex a program gets; the more calculations it needs to do based on numbers extracted from untrusted files; the more it needs to mess around allocating and deallocating memory and shuffling data between memory buffers…

…the more likely it is that some sort of buffer overflow or integer overflow bug will show up.
#1184 Facebook malware – the missing piece
In our last blogpost, Facebook malware: tag me if you can, we revealed a phishing campaign led by Turkish-speaking threat actors who exploited social networks to spread a Trojan that compromises the victim’s machine and captures its entire browser traffic. The report did not address the issue of lateral movement because Kaspersky Lab researchers were still investigating it.

After two weeks of research, Kaspersky Lab researcher Ido Naor, and Dani Goland, the CEO & co-founder of Israel-based company Undot, managed to extract the proverbial needle from a haystack: a Facebook vulnerability that allowed an attacker to replace the comment identifier parameter attached to each web/mobile Facebook comment with an identifier that was reserved for embedded plugins usually located on third-party websites (where they allowed visitors to comment with their Facebook identity).
#1183 Internet of Things security is dreadful: Here's what to do to protect yourself
British parents haven't learnt their lesson from the discovery two years ago of a Russian website that offered links to unsecured baby monitors, according to the UK's privacy watchdog.

This has prompted the Information Commissioner's Office (ICO) to reissue its wake-up call from 2014 to parents over the security of baby monitors. Two years on from the discovery of the Russian site, the ICO says parents still haven't changed their behaviour, and it's calling on them to take responsibility for the security of their devices.

"Internet of Things products such as baby monitors, music systems and photo or document storage, which can be accessed online, are at risk of revealing your personal details to other people," it warned.
#1182 ARM, Symantec build security standard for Internet of Things
The lack of a cohesive cybersecurity standard around the Internet of Things and connected devices could result in highly-damaging security breaches that could compromise any industrial, corporate, or home network.

There are already billions of devices -- ranging from sensors, to cars, to hospital equipment and more -- connected to the internet and Gartner estimates that 5.5 million new 'things' are going online every single day. Over five billion devices are currently connected and the figure is expected to rise to 20 billion by 2020.

However, there isn't any sort of standard applied to security in Internet of Things devices, and experts are already predicting a major cybersecurity breach linked back to an unsecured connected device within the next two years.
#1181 Oracle patches record 276 vulnerabilities with July critical patch update
Oracle has one-upped itself once again. The company fixed a record 276 vulnerabilities – more than half of which are remotely exploitable – as part of its July Critical Patch Update released Tuesday afternoon.

The quarterly patch update resolves vulnerabilities in 84 different products, including Oracle Database Server, Oracle Fusion Middleware, and Oracle’s E-Business Suite to name a few. The number of fixes exceeds the previous all time high, 248 patches, pushed by Oracle in January and marks more than double the amount of vulnerabilities addressed by the company in its last CPU in April.

Like the April CPU, more than 50 percent of the vulnerabilities, 159 in total, can be exploited remotely without authentication. Oracle Fusion Middleware is the biggest culprit; 35 of the 40 vulnerabilities that affect the software are remotely exploitable. The company’s E-Business Suite – in which 21 of the 23 vulnerabilities are remotely exploitable – and Oracle Sun Systems Products Suite – in which 21 of the 34 vulnerabilities are remotely exploitable – also merit attention.
#1180 SoakSoak botnet pushing neutrino exploit kit and CryptXXX ransomware
Researchers are reporting a surge in CryptXXX ransomware infections delivered via business websites compromised to redirect to the Neutrino Exploit Kit. Attackers are targeting websites running the Revslider slideshow plugin for WordPress, according to a report released Tuesday by Invincea.

Behind the attacks, said Pat Belcher, director of security research at Invincea, is the SoakSoak botnet, active since 2014 and known for its automated ability to scan websites for vulnerabilities.

“We are seeing a surge in these type of attacks targeting slideshow and video components on popular websites,” Belcher said.
#1179 Firefox to block non-essential Flash content In August 2016, require click-to-activate In 2017
Browser plugins, especially Flash, have enabled some of our favorite experiences on the Web, including videos and interactive content. But plugins often introduce stability, performance, and security issues for browsers. This is not a trade-off users should have to accept.

Mozilla and the Web as a whole have been taking steps to reduce the need for Flash content in everyday browsing. Starting in August, Firefox will block certain Flash content that is not essential to the user experience, while continuing to support legacy Flash content. These and future changes will bring Firefox users enhanced security, improved battery life, faster page load, and better browser responsiveness.
#1178 Attackers launch multi-vector DDoS attacks that use DNSSEC amplification
Almost 60 percent of all DDoS attacks observed during the first quarter of this year were multi-vector attacks, Akamai said in a report released last month. The majority of them used two vectors, and only 2 percent used five or more techniques.

The DNS (Domain Name System) reflection technique used in this large attack was also interesting, because attackers abused DNSSEC-enabled domains in order to generate larger responses.

DNS reflection involves abusing misconfigured DNS resolvers that respond to spoofed requests. Attackers can send DNS queries to these servers on the Internet by specifying the target's Internet Protocol (IP) address as the request's source address. This causes the server to direct its response to the victim instead of the real source of the DNS query.
#1177 Wave of business websites hijacked to deliver crypto-ransomware
If you've visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for. These sites are redirecting visitors to a malicious website that attempts to install CryptXXX—a strain of cryptographic ransomware first discovered in April.

The sites were most likely exploited by a botnet called SoakSoak or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin.
#1176 Library of Congress hit with a denial-of-service attack
Some of the U.S. Library of Congress’s websites are currently inaccessible as the result of a denial-of-service attack, the Library of Congress announced Monday.

The cyberattack was originally detected on July 17, a spokesperson told FedScoop. The attack has also caused other websites hosted by the LOC, including the U.S. Copyright Office, to go down. Library of Congress employees were reportedly unable to access their work email accounts or visit internal websites.

"The Library is working to maintain access to its online services while ensuring security," the spokesperson said.
#1175 Software flaw puts mobile phones and networks at risk of complete takeover
A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday.

The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.
#1174 Apple fixes vulnerabilities across OSX, iOS, Safari
Apple fixed dozens of vulnerabilities in its software on Monday, including 60 vulnerabilities in its operating system, OS X, and 43 in its mobile operating system, iOS.

The OS X update graduates the desktop and server operating system to OS X El Capitan v10.11.6 and applies to anyone running OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, or OS X El Capitan v10.11.

The updates mostly fix a number of glitches and bugs under the hood of the OS. As usual, the bulk of them apply to software libraries like OpenSSL, LibreSSL, and libxml2. Apple updated each library to their most recent versions to mitigate the issues.

Meanwhile 21 of the vulnerabilities could lead to arbitrary code execution, six with kernel privileges, and two that could go on and lead to the compromise of user information.
#1173 REPORT: Organizations must respond to increasing threat of ransomware
It’s a nightmare scenario for any IT manager, receiving a phone call to hear that hundreds of computers have been infected with ransomware, knocking critical systems offline and putting their organization’s entire operations at risk.

That’s what happened to one large organization earlier this year, when it found itself the victim of a carefully planned and executed ransomware attack. What was uncovered from our investigation was a perfect example of an emerging form of corporate-specific attack. While most ransomware gangs have focused on widespread, indiscriminate campaigns, a number of groups have begun deliberately targeting specific organizations in a bid to completely cripple operations and extract a massive ransom.

Many of these attacks employ the same high level of expertise we see in cyberespionage attacks, using a toolbox that includes exploits of software vulnerabilities and legitimate software utilities to break into and traverse an organization’s network.
#1172 Google Chrome malware leads to sketchy Facebook likes
Ever wonder how your mild-mannered friend’s Facebook feed suddenly got packed with lewd clickbait? That’s the question Maxime Kjaer was determined to answer when he noticed a friend’s Facebook feed peppered with Likes for sketchy link bait such as “Basic Kissing Tips”.

“Intrigued, I decided to go down the rabbit hole and see what this was all about,” wrote Kjaer, a 19-year-old computer science student at Swiss Federal Institute of Technology in Switzerland, in a blog post Monday.

What he found was what he called a “glaring security hole” in the Google Chrome Webstore that allowed malware authors to infect Chrome browsers via a bogus age verification extension.
#1171 Nominations for Pwnie Awards 2016
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
#1170 Use Tor? Riffle promises to protect your privacy even better
Privacy-minded people have long relied on Tor for anonymity online, but a new system from MIT promises better protection and faster performance.

Dubbed Riffle, the new system taps the same onion encryption technique after which Tor is named, but it adds two others as well. First is what's called a mixnet, a series of servers that each permute the order in which messages are received before passing them on to the next server.

If messages arrive at the first server in the order A, B, C, for example, that server would send them to the second server in a different order, such as C, B, A. The second server would them reshuffle things again when sending the messages on. The advantage there is that a would-be attacker who had tracked the messages’ points of origin would have no idea which was which by the time they exited the last server.
#1169 CGI script vulnerability ‘Httpoxy’ allows man-in-the-middle attacks
An old scripting vulnerability that impacts a large number of Linux distributions and programing languages allows for man-in-the-middle attacks that could compromise web servers. The vulnerability, which affects many PHP and CGI web-apps, was revealed Monday in tandem with the release of a bevy patches from impacted companies and platforms.

Researchers at SaaS distributor VendHQ named the vulnerability Httpoxy. It affects server-side web applications that run in Common Gateway Interface (CGI) or CGI-like environments, such as some FastCGI configurations, along with programing languages PHP, Python, and Go.

“This is a very serious flaw, if you’re one of the few still reliant on CGI and PHP for generating web pages,” said Dominic Scheirlinck, principal engineer VendHQ, and one of several researchers from the firm that discovered Httpoxy. The vulnerability is rated as “medium” by the firm and is easily exploitable.
#1168 Criminals plant banking malware where victims least expect it
A criminal gang recently found an effective way to spread malware that drains online bank accounts. According to a blog post published Monday, they bundled the malicious executable inside a file that installed a legitimate administrative tool available for download.

The legitimate tool is known as Ammyy Admin and is used to provide remote access to a computer so someone can work on it even when they don't have physical access to it. According to Monday's blog post, members of a criminal enterprise known as Lurk somehow managed to tamper with the Ammyy installer so that it surreptitiously installed a malicious spyware program in addition to the legitimate admin tool people expected. To increase their chances of success, the criminals modified the PHP script running on the Ammyy Web server, suggesting they had control over the website.
#1167 Carbanak gang tied to Russian security firm?
Among the more plunderous cybercrime gangs is a group known as “Carbanak,” Eastern European hackers blamed for stealing more than a billion dollars from banks. Today we’ll examine some compelling clues that point to a connection between the Carbanak gang’s staging grounds and a Russian security firm that claims to work with some of the world’s largest brands in cybersecurity.

The Carbanak gang derives its name from the banking malware used in countless high-dollar cyberheists. The gang is perhaps best known for hacking directly into bank networks using poisoned Microsoft Office files, and then using that access to force bank ATMs into dispensing cash. Russian security firm Kaspersky Lab estimates that the Carbanak Gang has likely stolen upwards of USD $1 billion — but mostly from Russian banks.
#1166 Cisco patches serious flaws in router and conferencing server software
Cisco Systems released patches this week for several vulnerabilities in its IOS software for networking devices and the Cisco and WebEx conferencing servers.

The most serious vulnerability affects the Cisco IOS XR software for the Cisco Network Convergence System (NCS) 6000 Series Routers. It can lead to a denial-of-service condition, leaving affected devices in a nonoperational state.

Unauthenticated, remote attackers can exploit the vulnerability by initiating a number of management connections to an affected device over the Secure Shell (SSH), Secure Copy Protocol (SCP) or Secure FTP (SFTP).
#1165 Cerber: A case in point of ransomware leveraging cloud platforms
As cloud services become increasingly adopted by end users, cybercriminals are equally finding ways to abuse them, using them as vectors to host and deliver malware. Conversely, by targeting cloud-based productivity platforms utilized by many enterprises, the malefactors are hoping to victimize users who handle sensitive corporate data that when denied access to can mean serious repercussions for their business operations.

A case in point: the Cerber ransomware. Its latest variant—detected by Trend Micro as RANSOM_CERBER.CAD—was found to have targeted Office 365 users, particularly home users and businesses.
#1164 Pokémon GO hype: First lockscreen tries to catch the trend
ESET has discovered the first ever fake lockscreen app on Google Play, named Pokemon GO Ultimate. As its characteristics suggest, it deliberately locks the screen right after the app is started, forcing the user to restart the device. Unfortunately, in many cases a reboot is not available because the activity of the malicious app overlays all the other apps as well as system windows. The user needs to restart the device either by pulling out the battery or using Android Device Manager. After reboot, it runs in the background hidden from the victim, silently clicking on porn ads online.
#1163 Malicious macros arrive in phishing emails, steal banking information
In 2015, we saw malicious Microsoft Office macros return with a vengeance, delivering a plethora of threats ranging from ransomware to banking Trojans. Now, we’ve found cybercriminals incorporating macros into phishing attacks to steal your information through email. The campaign delivered several thousand German-language phishing emails with Excel attachments containing the macros.
#1162 This webcam malware could blackmail you into leaking company secrets
Attackers are using a new piece of malware to gather private moments of employees in order to manipulate them into leaking company secrets.

According to Gartner fraud analyst Avivah Litan, the malware, which is dubbed "Delilah", has earned the title of the world's first insider threat trojan since it allows its operators to capture sensitive and compromising footage of victims, which can then be used to extort the victim or convince them to carry out actions that would harm their employer.

Details of Delilah were shared with Litan by Israeli threat-intelligence security firm Diskin Advanced Technologies. The firm reported that the malware is being delivered via multiple popular adult and gaming sites. It's not clear from Litan's report whether the attackers are using social engineering or software vulnerabilities to install the malware.

"The bot comes with a social engineering plug in that connects to webcam operations so that the victim can be filmed without his or her knowledge," noted Litan.
#1161 Most companies still can't spot incoming cyberattacks
Four out of five businesses lack the required infrastructure or security professionals with relevant skills to spot and defend against incoming cyberattacks.

According to a new report by US cybersecurity and privacy think tank Ponemon Institute, 79 percent of cybersecurity professionals say that their organisations are struggling to monitor the internet for the external threats posed by hackers and cybercriminals.

Just 17 percent of respondents say that they have any sort of formal process in place for intelligence gathering which is applied across the whole company.

The report suggests that 38 percent of organisations don't have any policy on threat intelligence gathering at all, while 23 percent suggest their approach is "ad hoc"at best and 18 percent say they do have a formal process in place, but it isn't applied across the entire enterprise.

The Ponemon Institute claimed that businesses are on average experiencing more than one external cyberattack a month, with these repeated security breaches resulting in an annual average cost of around $3.5m.
#1160 How to steal money from Instagram, Google and Microsoft
Some account options deployed by Instagram, Google and Microsoft can be misused to steal money from the companies by making them place phone calls to premium rate numbers, security researcher Arne Swinnen has demonstrated.

Swinnen has taken advantage of Instagram‘s option to link a mobile phone number to an account in order to earn money. After several unsuccessful SMS requests from Instagram to verify the link by using a token, the service will place a call that lasts some 17 seconds to the number.

Instagram didn’t notice the real nature of the provided number, nor did it notice when the same number was provided/tied with 100 Instagram accounts. The service did limit how often the call could be replayed (once every 30 seconds), but they could be easily scheduled to happen with such a pause in between.
#1159 Two million passwords breached in Ubuntu hack
Linux users who frequent the Ubuntu forums may want to change their passwords following news that an attacker was able to breach the service and its two million users.

Jane Silber, Chief Executive Officer at Canonical,the company that maintains the service, acknowledged on Friday that a known SQL injection vulnerability in Forumrunner, an add-on in the Ubuntu forums that hadn’t been patched, led to the attack.
#1158 Microsoft silently kills dev backdoor that boots Linux on locked-down Windows RT slabs
Microsoft has quietly killed a vulnerability that can be exploited to unlock ARM-powered Windows RT tablets and boot non-Redmond-approved operating systems.

The Register has learned that one of the security holes addressed this week in the July edition of Microsoft's Patch Tuesday closes a backdoor left in Windows RT by its programmers during its development.

That backdoor can be exploited to unlock the slab's bootloader and start up an operating system of your choice, such as GNU/Linux or Android, provided it supports the underlying hardware.

Normally, Windows RT devices are locked down to only boot software cryptographically signed by Microsoft. That's left some Windows RT owners frustrated because they're unable to switch to another OS: the firmware refuses to accept non-Microsoft code, and curious minds have been trying for years now to defeat these defenses and run whatever they want. The bootloader cannot be unlocked even if you have administrator-level access on the device.
#1157 How (and why) FreeDOS keeps DOS alive
Jim Hall’s day job is chief information officer for Ramsey County in the US state of Minnesota. But outside of work, the CIO is also a contributor to a number of free software/open source projects, including FreeDOS: The project to create an open source, drop-in replacement for MS-DOS.

FreeDOS (it was originally dubbed ‘PD-DOS’ for ‘Public Domain DOS’, but the name was changed to reflect that it’s actually released under the GNU General Public License) dates back to June 1994, meaning it is just over 22 years old — a formidable lifespan compared to many open source projects.

“And if you consider the DOS platform, MS-DOS 1.0 dates back to 1981, ‘DOS’ as an operating system has been around for 35 years! That’s not too shabby,” Hall said. (Version 1.0 of MS-DOS — then marketed by IBM as PC DOS — was released in August 1981.)

Hall has been involved in free software since the early ’90s when he was an undergraduate physics student. He first installed Linux on his home computer in 1993. These days Hall is a member of the board of directors for the open source GNOME desktop environment. He's also the author of GNU Robots and as well as FreeDOS he has contributed to a number of open source projects.
#1156 Ubuntu linux forums hacked - IP address, username and email of 2M accounts compromised
There is a common misconception that all things Linux are bulletproof. The fact is, no software is infallible. When news of a Linux vulnerability hits, some Windows and Mac fans like to taunt users of the open source kernel. Sure, it might be in good fun, but it can negatively impact the Linux community's reputation -- a blemish, if you will.

Today, Canonical announces that the Ubuntu forums have been hacked. Keep in mind, this does not mean that the operating system has experienced a vulnerability or weakness. The only thing affected are the online forums that people use to discuss the OS. Still, such a hack is embarrassing, as it was caused by Canonical's failure to install a patch.

"There has been a security breach on the Ubuntu Forums site. We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation. Corrective action has been taken, and full service of the Forums has been restored. In the interest of transparency, we’d like to share the details of the breach and what steps have been taken. We apologize for the breach and ensuing inconvenience", says Jane Silber, Chief Executive Officer, Canonical Ltd.
#1155 Now ransomware is taking aim at business networks
Crypto-ransomware is becoming an increasing problem for businesses as cybercriminals are turning their attention to using these attacks to target corporate networks.

Cybercriminals are aware that this method of attack is working and are increasingly deploying it: according to a new Kaspersky Labs report on ransomware, the number of corporate users attacked with crypto-ransomware has increased by over six times with 718,000 victims in the last year compared to 131,000 during the previous 12 months.

Previously, ransomware attacks had largely ignored corporate networks, with hackers instead choosing to target home users. While home users still make up the vast majority of crypto-ransomware victims, corporate users now account for over one in ten infected.

Almost exactly half of crypto-ransomware attacks carried out between 2015 and 2016 used Teslacrypt ransomware - although the trojan is no more after it's masterkey was released to the public in May. Nonetheless, prior to that point it had infected users, encrypted their files and demanded a ransom in Bitcoin in order to release.
#1154 Juniper patches high-risk flaws in Junos OS
Juniper Networks has fixed several vulnerabilities in the Junos operating system used on its networking and security appliances, including a flaw that could allow hackers to gain administrative access to affected devices.

The most serious vulnerability, rated 9.8 out of 10 in the Common Vulnerability Scoring System, is located in the J-Web interface, which allows administrators to monitor, configure, troubleshoot and manage routers running Junos OS. The issue is an information leak that could allow unauthenticated users to gain admin privileges to the device.

The flaw was fixed in Junos OS 12.1X46-D45, 12.1X46-D46, 12.1X46-D51, 12.1X47-D35, 12.3R12, 12.3X48-D25, 13.3R10, 13.3R9-S1, 14.1R7, 14.1X53-D35, 14.2R6, 15.1A2, 15.1F4, 15.1X49-D30 and 15.1R3. A temporary workaround is to disable J-Web or to limit which IP addresses can access the interface.
#1153 Exploit kits quickly adopt exploit thanks to open source release
A security researcher recently published source code for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.

CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.

Microsoft patched CVE-2016-0189 in May on Patch Tuesday. Applying this patch will protect a system from this exploit.
#1152 Crypto flaw made it easy for attackers to snoop on Juniper customers
As if people didn't already have cause to distrust the security of Juniper products, the networking gear maker just disclosed a vulnerability that allowed attackers to eavesdrop on sensitive communications traveling through customers' virtual private networks.

In an advisory posted Wednesday, Juniper officials said they just fixed a bug in the company's Junos operating system that allowed adversaries to masquerade as trusted parties. The impersonation could be carried out by presenting a forged cryptographic certificate that was signed by the attacker rather than by a trusted certificate authority that normally vets the identity of the credential holder.

"When a peer device presents a self-signed certificate as its end entity certificate with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped and the peer certificate is treated as valid," Wednesday's advisory stated. "This may allow an attacker to generate a specially crafted self-signed certificate and bypass certificate validation."
#1151 Cisco patches DoS flaw in NCS 6000 routers
Cisco Systems today released patches for two products, including one for a vulnerability rated a high criticality in Cisco IOS XR for the Cisco Network Convergence System series routers.

The flaw rests in the management of system timer resources and could allow an attacker to remotely crash the router.

“An attacker could exploit this vulnerability by sending a number of Secure Shell (SSH), Secure Copy Protocol (SCP), and Secure FTP (SFTP) management connections to an affected device,” Cisco said in its advisory. “An exploit could allow the attacker to cause a leak of system timer resources, leading to a nonoperational state and an eventual reload of the RP on the affected platform.”
#1150 Security software priorities shift from defence to detection and response
The worldwide security software market was worth $22.1bn last year -- up by 3.7 percent from 2014.

Firms are tackling the unrelenting hacker threat by investing in security information and event management technology. The tech handles threat detection and security incident response through the real-time collection and analysis of security events. Spending in this area is growing faster than in any other segment of the security market, up 15.8 per cent, according to analyst Gartner. The sharpest decline in the security spending was on consumer-focused software, which fell 5.9 per cent year on year.

Gartner said interest in technologies focused solely on preventing security breaches is on the wane, in contrast to offerings that enable detection and response.

"Organizations are shifting security budgets from prevention to prediction, detection and response, and security vendors need to be capture this shifting spend," it said, pointing to identity governance and administration and data loss prevention technologies as growth areas.
#1149 Google hit by fresh European Union anti-trust charges
The European Commission has stepped up pressure on Google, alleging that it abused its dominance in internet shopping and restricted competition.

It also accused Google of stopping websites from showing adverts from the search engine's competitors.

And it strengthened an existing charge that Google favours its own comparison shopping services in search results.
#1148 Android banking malware blocks victims’ outgoing calls to customer service
In March 2016, newer variants of the Android.Fakebank.B family arrived with call-barring functionality. The feature aims to stop customers of Russian and South Korean banks from cancelling payment cards that the malware stole. The latest version of the threat shows how Android banking malware continues to evolve.

Once installed, the new Android.Fakebank.B variants register a BroadcastReceiver component that gets triggered every time the user tries to make an outgoing call. If the dialed number belongs to any of the customer service call centers of the target banks, the malware programmatically cancels the call from being placed.
#1147 The FBI says its malware isn’t malware because the FBI is good
The FBI is facing accusations that malware it deployed while running Operation Playpen, a sting that infiltrated and maintained a dark web child pornography website for two weeks and eventually led to more than 100 arrests, was illegal. But the agency swears that using malware was good because, well, the FBI had good intentions.

Some judges have actually ruled to throw out evidence obtained by the malware the FBI used on the basis that it did not have the proper warrants. (The DOJ and FBI just had a major breakthrough with the supreme court in modifying Rule 41, giving them expansive new hacking powers, but we’ll get to that in a second.) According to a legal brief filed by they FBI, “A reasonable person person or society would not interpret the actions taken by a law enforcement officer pursuant to a court order to be malicious.”
#1146 Popular Android, iPhone stocks app leaks your trading activities
The popular SeekingAlpha mobile application for tracking stocks and shares on Android and iOS devices harbours a serious security flaw leading to information leaks.

Discovered by Derek Abdine of Rapid7, the vulnerability "leaks personally identifiable and confidential information, including the username and password to the associated account, lists of stock symbols the user is interested, and HTTP cookies," according to the team.

Seeking Alpha describes itself as a "platform for investment research" and provides users with tools and content for investors to ferret out information on public stocks, investment opportunities and other securities.
#1145 Mozilla begins process of letting Firefox rust
Mozilla has announced it has taken a small step towards replacing much of Firefox's C++ code with its safer alternative language, Rust.

When Firefox 48 ships on August 2, it will contain a Rust-built mp4 track metadata parser that will be available on Windows and 32-bit Linux desktops for the first time. Users of Mac OS X and 64-bit Linux have had the new parser available since Firefox 45.

"Media formats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in web browsers' implementation code," Dave Herman, Mozilla Research principal researcher and director of strategy, said in a blog post. "This makes a memory-safe programming language like Rust a compelling addition to Mozilla's tool-chest for protecting against potentially malicious media content."
#1144 Chrysler launches Detroit’s first ‘bug bounty’ for hackers
When a pair of hackers exposed security flaws a year ago in a Jeep Cherokee, Fiat Chrysler could have responded by trying to keep other hackers away from its products with intimidation or lawsuits. The demo led to a 1.4-million-vehicle recall, after all. But instead, the company is trying a smarter approach: offering to pay for hacks.

On Wednesday the Italian-owned Detroit automaker announced that it will pay “bounties” of as much as $1,500 to security researchers who alert the company to hackable flaws in its software. That makes the company the first major carmaker to officially shell out dollars in exchange for security vulnerability information, a sign of Detroit’s growing awareness of the looming threat of digital attacks on vehicles. “It’s a very big move,” says Casey Ellis, the CEO of Bugcrowd, the firm running Fiat Chrysler’s bug bounty program. “This is basically creating normalcy around the dialogue between hackers and vehicle manufacturers for the purposes of making vehicles safer.”
#1143 Cisco Jasper will help us solve the IoT data-delivery problem
Cisco's $1.4 billion acquisition of cloud-based Internet of Things (IoT) platform Jasper will enable the latter to continue its bid to solve the problem of data delivery for mobile providers, and taking the complexity out of IoT for enterprises.

Calling Jasper the "technical interface" for the more than 30 mobile operator groups for which it provides an IoT platform, Macario Namie, head of IoT Strategy for Cisco Jasper, said Jasper was founded 12 years ago to solve one major problem: Enabling enterprises to put connected products on mobile networks worldwide.

"For us, being part of Cisco, number one we still very much believe that the opportunity that existed for us as an independent business is just even that much greater," Namie told ZDNet.
#1142 Drupal patches remote code execution vulnerabilities in three modules
Developers with the open source content management framework Drupal today patched a series of highly critical remote code execution bugs in three separate modules. If exploited, the bugs could let an attacker take over any site running the modules.

Fixes for pushed for RESTful Web Services, a module used for creating REST APIs, Coder, a module used for code analysis, and Webform Multiple File Upload, a module used for collecting files from site visitors.
#1141 Intel patches local EoP vulnerability impacting Windows 7
Intel issued an important security patch Monday for a vulnerability that could allow hackers to execute arbitrary code on targeted systems running Windows 7. The bug, located in Intel’s HD graphics Windows kernel driver, leaves affected systems open to a local privilege escalation attacks that could give criminals the ability take control of targeted systems.

Specifically impacted, according to Intel, are users of Intel Graphics Driver for Microsoft Windows prior to March 28, 2016. Intel describes the flaw as one which, if exploited, “would directly impact the confidentiality, integrity or availability of user’s data or processing resources.”
#1140 Microsoft Patch Tuesday – July 2016
This month the vendor is releasing 11 bulletins, five of which are rated Critical.
#1139 Nation-backed malware that infected energy firm is 1 of 2016’s sneakiest
A campaign that targeted a European energy company wielded malware that's so sneaky and advanced it almost certainly is the work of a wealthy nation, researchers said Tuesday.

The malware contains about 280 kilobytes of densely packed code that, like a ninja warrior, cleverly and stealthily evades a large number of security defenses. It looks for and avoids a long list of computer names belonging to sandboxes and honeypots. It painstakingly dismantles antiviruses one process at a time until it's finally safe to uninstall them. It takes special care when running inside organizations that use facial recognition, fingerprint scanners, and other advanced access control systems. And it locks away key parts of its code in encrypted vaults to prevent it from being discovered and analyzed.

Once the malware has gained administrative control of a computer, it uses its lofty perch to survey the connected network, report its findings to its operators, and await further instructions. From then on, attackers have a network backdoor that allows them to install other types of malware, either for more detailed espionage or potentially sabotage. Researchers from security firm SentinelOne found the malware circulating in an underground forum and say it has already infected an unnamed energy company in Europe.
#1138 Cisco boasts 100 percent security coverage
Cisco has said it will do whatever it takes, including working alongside competitors, in order to ensure that it has the best security offering that covers customers 100 percent of the time.

Admitting that the 100 percent statement is a "bold claim", Scott Harrell, VP of Product Management in Cisco's Security Business Group, explained that it means Cisco will provide protection for customers whether they are on business premises or working remotely.

"What we're talking about is the fact that you as customers, you as network administrators, as partners, who are trying to find and deploy these complex networks, your problem's not just a firewall at the edge ... your problem's more than that," Harrell, speaking at the second day of Cisco Live Las Vegas, said.

"You have diverse infrastructures, you have campuses, you have datacentres, you have branches, you have users that are sales personnel that never come back on-prem, they spend their whole life off-prem and seldom connect back into the VPN, you have applications that you're being pushed to move to the cloud by your line of business.
#1137 Vulnerability exploitable via printer protocols affects all Windows versions
Microsoft patched today a critical security vulnerability in the Print Spooler service that allows attackers to take over devices via a simple mechanism. The vulnerability affects all Windows versions ever released.

Security firm Vectra discovered the vulnerability (CVE-2016-3238), which Microsoft fixed in MS16-087. At its core, the issue resides in how Windows handles printer driver installations and how end users connect to printers.

By default, in corporate networks, network admins allow printers to deliver the necessary drivers to workstations connected to the network. These drivers are silently installed without any user interaction and run under the SYSTEM user, with all the available privileges.

Vectra researchers discovered that an attacker can replace these drivers on the printer with malicious files that allow him to execute any code he'd like on the infected machine.

The attack can be launched from the local network or via the Internet, thanks to the Internet Printing Protocol or the webPointNPrint protocol. This type of attack can be delivered via innocuous methods such as ads (malvertising) or JavaScript code hidden in compromised websites.
#1136 Leaky database leaves Oklahoma police, bank vulnerable to intruders
A leaky database has exposed the physical security of multiple Oklahoma Department of Public Safety facilities and at least one Oklahoma bank.

The vulnerability—which has reportedly been fixed—was revealed on Tuesday by Chris Vickery, a MacKeeper security researcher who this year has revealed numerous data breaches affecting millions of Americans.

The misconfigured database, which was managed by a company called Automation Integrated, was exposed for at least a week, according to Vickery, who said he spoke to the company’s vice president on Saturday. Reached on Tuesday, however, an Automation Integrated employee said “no one” in the office was aware of the problem.

“They said that they were going to let their clients know,” Vickery said.
#1135 VPN provider removes Russian presence after servers seized
VPN provider Private Internet Access has pulled out of Russia in the wake of new internet surveillance legislation in the country.

The company claims that some of its Russian servers were seized by the national government as punishment for not complying with the rules, which ask providers to log and hold all Russian internet traffic and session data for up to a year.

‘We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process,’ wrote Private Internet Access in a blog post.

The provider assured users that as it does not log any traffic or session data, no information was compromised – ‘Our users are, and will always be, private and secure.’
#1134 Little Snitch bug leaves some Mac systems open to attack
Trusted Mac OS X firewall Little Snitch is vulnerable to local privilege escalation attacks that could give criminals the ability plant rootkits and keyloggers on some El Capitan systems.

The Little Snitch firewall vulnerability was found by Synack Director of Research and well-known OS X hacker Patrick Wardle. Affected are 3.x versions of the Little Snitch firewall software released prior to build 3.6.2 running on El Capitan. Wardle did not test versions of Little Snitch released prior to 3.x.

In January, Wardle discovered that the firewall software contained a local escalation of privileges (EoP) vulnerability that any local user (or malware) could exploit. The following month, Little Snitch’s developer Objective Development released the (3.6.2) version of the firewall that fixed the problem.

“This is a serious flaw and an important software update that Little Snitch users could have easily missed,” Wardle told Threatpost.
#1133 Ranscam ransomware deletes victims’ files outright
Researchers have observed ransomware so sophisticated over the last few months that we’ve seen a variant tease researchers with strings of hidden code and another composed entirely of JavaScript. But not every attacker is technically proficient; researchers are suggesting the ones behind a new strain of ransomware may just be plain lazy.

The ransomware Ranscam simply deletes users’ files, even if the victim chooses to pay, researchers at Cisco’s Talos Security Intelligence and Research Group claim, no encryption needed.

Like the ransomware’s name implies, Ranscam is just that: a ‘scam.’

According to two researchers with the group, Edmund Brumaghin and Warren Mercer, who wrote about it on Monday, after a user’s machine is infected, Ranscam starts out like any other type of ransomware. Victims are encouraged to pay 0.2 BTC ($130 US) to unlock their files, which Ranscam claims have been moved to a hidden partition and encrypted.
#1132 xDedic hacked server market resurfaces on Tor domain
The xDedic market has resurfaced, this time on a Tor network domain and with the inclusion of a new $50 USD enrollment fee.

XDedic’s original domain (xdedic[.]biz) disappeared shortly after a June 16 Kaspersky Lab report describing how xDedic provided a platform for the sale of compromised RDP servers. At the time of the report, there were 70,000 hacked servers for sale for as little as $6, and the website was doing brisk business.

Researchers at Digital Shadows reported today that a June 24 post to the Russian-language forum, exploit[.]in, included a link to the .onion site now hosting xDedic.

“The new xDedic site was found to be identical in design to the previous site and although discussion in the exploit[.]in thread indicated that accounts on the previous site had not been transferred to the new site, accounts could be freely registered,” Digital Shadows wrote in an incident report shared with Threatpost. “However, following registration, accounts had to be credited with $50 USD in order to activate them.”
#1131 Adobe patches 52 vulnerabilities in Flash Player
Adobe today pushed out an updated Flash Player that patched 52 vulnerabilities, most of which led to remote code execution on compromised machines.

The 52 flaws represent one of the biggest security updates in Flash this year, in what has been a busy time around the beleaguered software. Already, Adobe has had to push out emergency updates addressing zero day vulnerabilities under attack by criminals and APT attackers.

None of the flaws patched today are currently under attack in the wild.
#1130 Ransomware 'stopped' by new software
The solution - dubbed CryptoDrop - detected the malware and stopped it after it had encrypted just a handful of files, said its developers.

Patrick Traynor, an associate professor in UF's department of computer and information science, worked with PhD student Nolen Scaife and Henry Carter, from Villanova University, on the software.

"Our system is more of an early-warning system," Mr Scaife said.

"It doesn't prevent the ransomware from starting... it prevents the ransomware from completing its task… so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom."
#1129 Billion-dollar scams: The numbers behind BEC fraud
Business email compromise (BEC), or CEO fraud, continues to be the bane of companies in 2016. BEC scams are low-tech financial fraud in which spoofed emails from CEOs are sent to financial staff to request large money transfers. While they require little expertise and skill, the financial rewards for the fraudsters can be high. An Austrian aerospace manufacturer recently fired its president and CFO after it lost almost US$50 million to BEC fraudsters.

In light of recent warnings from the FBI regarding BEC, we took an in-depth look at Symantec’s Email data to get a better understanding of the state of BEC fraud today.
#1128 Now it’s easy to see if leaked passwords work on other sites
Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites.

Shard, as the command-line tool has been dubbed, is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May.
#1127 Serious flaw fixed in widely used WordPress plug-in
If you're running a WordPress website and you have the hugely popular All in One SEO Pack plug-in installed, it's a good idea to update it as soon as possible. The latest version released Friday fixes a flaw that could be used to hijack the site's admin account.

The vulnerability is in the plug-in's Bot Blocker functionality and can be exploited remotely by sending HTTP requests with specifically crafted headers to the website.

The Bot Blocker feature is designed to detect and block spam bots based on their user agent and referer header values, according to security researcher David Vaartjes, who found and reported the issue.
#1126 How to hack mobile devices using YouTube videos
Researchers have devised a way to leverage YouTube to hack mobile devices.

A team from the University of California, Berkeley, and Georgetown University have developed the means to compromise a mobile device using hidden voice commands embedded within a YouTube video.

In order for the device to be attacked, the intended victim needs to do nothing more than watch the YouTube content.

The researchers say on their project page that the hidden voice commands used by the attack are "unintelligible to human listeners but which are interpreted as commands by devices."
#1125 BMW Core Web Portal & ConnectedDrive - exploitation of car configurations
Today we will talk about two vulnerabilities that was discovered by Vulnerability Laboratory core team member "Benjamin Kunz Mejri", the vulnerabilities which are not patched yet! There are two main bugs both related to the BMW online service and web app for ConnectedDrive .

The first vulnerability found in the BMW ConnectedDrive web-application. The vulnerability allows remote attackers to manipulate specific configured parameters to compromise the affected web-application service. A vehicle identification number,commonly abbreviated to VIN, or chassis number, is a unique code including a serial number, used by the automotive industry to identify individual motor vehicles, towed vehicles, motorcycles, scooters and mopeds as defined in ISO 3833.

The vulnerability is located in the session management of the VIN adding procedure. Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it. Remote attackers are able to change with a live session tamper the action information to create or update. Thus allows an attacker to bypass the invalid VIN exception to add a new configuration finally. Thus interaction results in the takeover of other vehicle identification numbers to view or manipulate the configuration. The session validation flaw can be exploited with a low-privilege user account, leading to manipulation of VIN numbers and configuration settings such as compromising registered and valid VIN numbers through the ConnectedDrive portal. The settings available through the ConnectedDrive portal include the ability to lock/unlock the vehicle, manage song playlists, access email accounts, manage routes, get real-time traffic information, and so on.

After the successful exploitation to integrate the vin in the portal the attacker can login with the connectedrive ios application. The attacker includes the illegal vin to his account via portal and can access the configuration via mobile application or portal. Thus way an attacker is able to unauthorized access the info-tainment-system of bmw cars to interact without hardware manipulation or cable access.
#1124 MIT researchers devise new anonymity network following Tor bug
Computer scientists at Massachusetts Institute of Technology have devised a new anonymity network they say is more secure than Tor.

For the uninitiated, anonymity networks like Tor let you hide your location and Web activity, offering people living under repressive regimes, for instance, protection from prying eyes monitoring their Internet use. But following the recent discovery of vulnerabilities in Tor, researchers at MIT's Computer Science and Artificial Intelligence Laboratory and the École Polytechnique Fédérale de Lausanne have been working on a more secure anonymity scheme. Now they say they have succeeded.
#1123 Google to train 2 million Indian Android developers
Google has announced its new “Android Fundamentals” training program, which aims to train and certify up to two million Android developers in India. An Android Fundamentals training course, soon to be available online and at schools country-wide, is focused on training, testing and certifying Android developers to prepare students for careers using Android technology.
#1122 Jigsaw ransomware decrypted, again
The four-month-old Jigsaw ransomware has been defeated again. The ransomware, that packs an emotional punch with its creepy graphics and hallmark countdown clock, can be overcome simply by tricking the ransomware code into thinking you’ve already paid.

Researchers at Check Point published a fix for those infected by Jigsaw. The ransomware originally got is name for infecting computers and then displaying the menacing image of “Billy the Puppet” from the horror movie franchise Saw. Jigsaw threatens to delete thousands of files an hour if you don’t pay 0.4 Bitcoins or $150; restarting your PC costs you 1,000 deleted files.
#1121 Cisco unveils three DNA network security technologies
Cisco has announced three new technologies for its Digital Network Architecture (DNA) solution to enable network engineers, application developers, channel partners, and IT customers to embed improved and simplified security within their network infrastructure layer: Umbrella Branch, Stealthwatch Learning Network License, and Meraki MX Security Appliances with Advanced Malware Protection (AMP) and Threat Grid.

All three are designed to improve mobility and cloud security threats, according to the networking giant.

The first technology, Cisco's Umbrella Branch cloud-delivered security software, provides businesses with increased control over guest Wi-Fi usage via content filtering. It can be activated on the Cisco Integrated Services Routers (ISR) 4,000 series, and works to filter and block malware, command and control (C2) callbacks, and phishing threats before they reach the network.
#1120 Cisco bolsters cloud security offering with new solutions
Cisco has announced six new cloud-based services and solutions as part of its security portfolio: Umbrella Roaming, Defense Orchestrator, Security for Digital Transformation, Umbrella Branch, Stealthwatch Learning Network License, and Meraki MX Security Appliances with Advanced Malware Protection (AMP) and Threat Grid.

The new services form part of Cisco's suite of solutions to embed security in the access points and endpoints on the network; according to CEO Chuck Robbins, 47 percent of Cisco's security portfolio is now delivered via software.

The first new simplified security offering, Cisco Umbrella Roaming, is an AnyConnect module to protect a business' roaming employees from off-network threats and site connections while working remotely.
#1119 Millions of Xiaomi phones at risk of remotely installed malware
Millions of Xiaomi phones are vulnerable to a flaw that could allow an attacker to remotely install malware.

The vulnerability, now fixed, was found in the analytics package in Xiaomi's custom-built Android-based operating system. Security researchers at IBM, who found the flaw, discovered a number of apps in the package that were vulnerable to a remote code execution flaw through a man-in-the-middle attack -- one of which would allow an attacker to run arbitrary code at the system-level.
#1118 IoT medical devices: A prescription for disaster
If you’re sick and sitting in a drab hospital room hooked-up to a dialysis pump, the last thing you want to worry about is hackers. But according to IT healthcare security experts, there is a chance that life-saving dialysis machine is infected with malware, could even be processing fraudulent credit card transactions, or is part of a DDoS attack as it cleans your blood.

Hospitals are prime targets for hackers who see internet-connected healthcare equipment as low-hanging fruit when it comes to making a quick buck by stealing medical records, nefariously sucking up computer resources or perpetrating a ransomware attack, said Yong-Gon Chon, CEO of Cyber Risk Management.

“This equipment saves lives and can’t be taken offline like a laptop that goes back to IT for a week to be wiped and re-imaged,” Chon said. Hospitals are getting hammered by hackers targeting IoT devices. He said modern hospital security systems too often overlook IoT devices when it comes to security, making them an easy target.
#1117 Executive's guide to mobile security (free ebook)
Attacks against mobile devices are growing more widespread and more sophisticated. That's the bad news. The good news? Enterprises are growing more diligent about protecting against mobile threats, and security vendors are rolling out new and innovative platforms for mobility management.

But even with better tools in hand, IT, and business leaders still face rough terrain, trying to stay ahead of emerging risks and build the best defenses against them.
#1116 HTTPS is not a magic bullet for Web security
We're in the midst of a major change sweeping the Web: the familiar HTTP prefix is rapidly being replaced by HTTPS. That extra "S" in an HTTPS URL means your connection is secure and that it's much harder for anyone else to see what you're doing. And on today's Web, everyone wants to see what you're doing.

HTTPS has been around nearly as long as the Web, but it has been primarily used by sites that handle money—your bank's website, shopping carts, social networks, and webmail services like Gmail. But these days Google, Mozilla, the EFF, and others want every website to adopt HTTPS. The push for HTTPS everywhere is about to get a big boost from Mozilla and Google when both companies' Web browsers begin to actively call out sites that still use HTTP.

The plan is for browsers to start labeling HTTP connections as insecure. In other words, instead of the green lock icon that indicates a connection is secure today, there will be a red icon to indicate when a connection is insecure. Eventually secure connections would not be labeled at all, they would be the assumed default.

Google has also been pushing HTTPS connections by "using HTTPS as a ranking signal," meaning Google takes the security of a connection (or lack thereof) into consideration when ranking sites in search results. For the time being, Google says that HTTPS is "a very lightweight signal... carrying less weight than other signals such as high-quality content." However, the company says that it "may decide to strengthen" this indicator as a means to encourage more sites to adopt HTTPS.
#1115 Time management tips: How to create meetings that work
Meetings are a plague on modern business: bored staff can waste months of their lives nodding along when they could be doing something more productive.

Research suggests the average employee attends a total of 60 meetings per month, and that 30 per cent of workplace time is wasted in the process.

So what are the best time management tips for executives? ZDNet speaks to four experts who give their view on keeping meetings tight and workers productive.
#1114 The state of mobile device security: Android vs. iOS
The big question is: who takes the gold? While Android has made significant progress, iOS remains more prevalent in the enterprise, Zumerle said, with the consistency of experience being a major factor.

"The majority of enterprises still feel it is easier for them to secure their enterprise data on the iOS platform," Zumerle said.

That may be the case now, but it could change over the next year or two, depending on the trajectory of the two companies' mobile strategies.The real winners in all this are the users, who will continue to benefit from enhanced security as Apple and Google seek to stay ahead of continuing threats.
#1113 Industrial cybersecurity threat landscape
Industrial control systems (ICS) surround us: they are used in electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods). Smart cities, smart houses and cars, medical equipment – all of that is driven by ICS.

Expansion of the Internet makes ICS easier prey to attackers. The number of ICS components available over the Internet increases every year. Taking into account that initially many ICS solutions and protocols were designed for isolated environments, such availability often provides a malicious user with multiple capabilities to cause impact to the infrastructure behind the ICS due to lack of security controls. Moreover, some components are vulnerable themselves. The first available information about vulnerabilities in ICS components is related to 1997, only two vulnerabilities were published that year. Since then the number of vulnerabilities significantly increased. Over the past five years this index has increased from 19 vulnerabilities in 2010 to 189 vulnerabilities in 2015.

Sophisticated attacks on ICS systems are not somewhat new anymore. It is worth remembering an incident in 2015 in Ivano-Frankivsk, Ukraine where around a half of houses were left without electricity because of a cyber-attack against the Prykarpattyaoblenergo power company, and it was only one of multiple victims of the BlackEnergy APT campaign.
#1112 How Poland’s intrusive new spying law could bug world leaders at NATO summit
Polish spies could be secretly eyeballing world leaders attending the NATO summit in Warsaw, but it's impossible to know if such snooping is taking place—all thanks to a new law that came into force just last week.

The new anti-terrorism legislation was signed by Polish president Andrzej Duda on June 22. It came into force one week later. Under the law, secret surveillance may be carried out on any foreigner for up to three months without a court order. This includes undercover audio and video taping, bugging private premises, and accessing private electronic and phone communications.

National leaders including British Prime Minister David Cameron, US President Barack Obama, Canadian Prime Minister Justin Trudeau (who will face tough questions over his decision not to invest in military aircraft), German Chancellor Angela Merkel, and French President Francois Hollande are all in the Polish capital for the summit over the next few days.
#1111 The Dropping Elephant – aggressive cyber-espionage in the Asian region
Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.

Overall, the activities of this actor show that low investment and ready-made offensive toolsets can be very effective when combined with high quality social engineering. We have seen more such open source toolset dependency with meterpreter and BeEF, and expect to see this trend continue.
#1110 DroidJack uses side-load. It's super effective! Backdoored Pokemon GO Android app found
Pokemon GO is the first Pokemon game sanctioned by Nintendo for iOS and Android devices. The augmented reality game was first released in Australia and New Zealand on July 4th and users in other regions quickly clamored for versions for their devices. It was released on July 6th in the US, but the rest of the world will remain tempted to find a copy outside legitimate channels. To that end, a number of publications have provided tutorials for "side-loading" the application on Android. However, as with any apps installed outside of official app stores, users may get more than they bargained for.

In this case, Proofpoint researchers discovered an infected Android version of the newly released mobile game Pokemon GO [1]. This specific APK was modified to include the malicious remote access tool (RAT) called DroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim’s phone. The DroidJack RAT has been described in the past, including by Symantec [2] and Kaspersky [3]. Although we have not observed this malicious APK in the wild, it was uploaded to a malicious file repository service at 09:19:27 UTC on July 7, 2016, less than 72 hours after the game was officially released in New Zealand and Australia.

Likely due to the fact that the game had not been officially released globally at the same time, many gamers wishing to access the game before it was released in their region resorted to downloading the APK from third parties. Additionally, many large media outlets provided instructions on how to download the game from a third party [4,5,6]. Some even went further and described how to install the APK downloaded from a third party [7]:

“To install an APK directly you'll first have to tell your Android device to accept side-loaded apps. This can usually be done by visiting Settings, clicking into the Security area, and then enabling the "unknown sources" checkbox."
#1109 CISSP certification: Are multiple choice tests the best way to hire infosec pros?
Want a job in infosec? Your first task: hacking your way through what many call the "HR firewall" by adding a CISSP certification to your resume.

Job listings for security roles often list the CISSP (Certified Information Systems Security Professional) or other cybersecurity certifications, such as those offered by SANS, CompTIA, and Cisco, as a requirement. This is especially true in the enterprise space, including banks, insurance companies, and FTSE 100 corporations. But at a time when the demand for good infosec people sees companies outbidding each other to hire top talent, and ominous studies warn of a looming cybersecurity skills shortage, experts are questioning whether certifications based on multiple choice tests are really the best way to recruit the right people.
#1108 17K names in leaked DNC database appear to be ticket purchases
The 17,000 names leaked after a hack of Democratic National Convention documents appear to largely belong to people who purchased tickets to DNC events, many of the listed donors have confirmed.

The database includes names, addresses, email addresses and phone numbers. The hacker claiming credit, who goes by Guccifer 2.0, posted it and other documents to his blog last night.
#1107 Bitcoin 'miners' face fight for survival as new supply halves
Marco Streng is a miner, though he does not carry a pick around his base in south-western Iceland. Instead, he keeps tens of thousands of computers running 24 hours a day in fierce competition with others across the globe to earn bitcoins.

In the world of the web-based digital currency, it is not central banks that add new money to the system, but rather computers like Streng's which are awarded fresh bitcoins in return for processing blocks of the latest bitcoin transactions.

Bitcoin can be used to send money instantly around the world, using individual bitcoin addresses, free of charge with no need for third party checks, and is accepted by several major online retailers.
#1106 HTTPS crypto’s days are numbered. Here’s how Google wants to save it
Like many forms of encryption in use today, HTTPS protections are on the brink of a collapse that could bring down the world as we know it. Hanging in the balance are most encrypted communications sent over the last several decades. On Thursday, Google unveiled an experiment designed to head off, or at least lessen, the catastrophe.

In the coming months, Google servers will add a new, experimental cryptographic algorithm to the more established elliptic curve algorithm it has been using for the past few years to help encrypt HTTPS communications. The algorithm—which goes by the wonky name "Ring Learning With Errors"—is a method of exchanging cryptographic keys that's currently considered one of the great new hopes in the age of quantum computing. Like other forms of public key encryption, it allows two parties who have never met to encrypt their communications, making it ideal for Internet usage.
#1105 Extortion extinction: Researchers develop a way to stop ransomware
Ransomware - what hackers use to encrypt your computer files and demand money in exchange for freeing those contents - is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks.

The answer, they say, lies not in keeping it out of a computer but rather in confronting it once it's there and, counterintuitively, actually letting it lock up a few files before clamping down on it.

"Our system is more of an early-warning system. It doesn't prevent the ransomware from starting ... it prevents the ransomware from completing its task ... so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom," said Nolen Scaife, a UF doctoral student and founding member of UF's Florida Institute for Cybersecurity Research.

Scaife is part of the team that has come up with the ransomware solution, which it calls CryptoDrop.

Ransomware attacks have become one of the most urgent problems in the digital world. The FBI issued a warning in May saying the number of attacks has doubled in the past year and is expected to grow even more rapidly this year.
#1104 Facebook Messenger end-to-end encryption not on by default
Facebook today began a test program rolling out opt-in end-to-end encryption for its Messenger service called Secret Conversations.

The end-to-end encryption is based on the Signal protocol developed by Open Whisper Systems, the same protocol that stands up the crypto in the Signal and WhatsApp messaging applications.

The Facebook version of the encryption service is not on by default and is available only on one device at a time.

“Starting a secret conversation with someone is optional. That’s because many people want Messenger to work when you switch between devices, such as a tablet, desktop computer or phone,” Facebook said in its announcement. “Secret conversations can only be read on one device and we recognize that experience may not be right for everyone.”
#1103 Researchers add software bugs to reduce the number of… software bugs
Researchers are adding bugs to experimental software code in order to ultimately wind up with programs that have fewer vulnerabilities.

The idea is to insert a known quantity of vulnerabilities into code, then see how many of them are discovered by bug-finding tools.

By analyzing the reasons bugs escape detection, developers can create more effective bug-finders, according to researchers at New York University in collaboration with others from MIT’s Lincoln Laboratory and Northeastern University.

They created large-scale automated vulnerability addition (LAVA), which is a low-cost technique that adds the vulnerabilities. “The only way to evaluate a bug finder is to control the number of bugs in a program, which is exactly what we do with LAVA,” says Brendan Dolan-Gavitt, a computer science and engineering professor at NYU’s Tandon School of Engineering.
#1102 Stress-reducing MDM tips for businesses managing Apple devices
ver since employee-owned devices, and particularly iPhones and iPads, began appearing in offices, organizations of all sizes have struggled to properly administer and secure non-corporate-owned smartphones and tablets. In fact, the trend became so pronounced it spawned a new acronym: BYOD, for Bring Your Own Device.

Businesses are torn about satisfying sometimes competing initiatives: accommodate employees' iPhone and iPad adoption, enable employee productivity, efficiently deploy and administer applications, and secure business data from unauthorized access. The way to balance these interests is to use a mix of capable platforms as part of your mobile device management (MDM) strategy.
#1101 Antivirus software is 'increasingly useless' and may make your computer less safe
Is your antivirus protecting your computer or making it more hackable?

Internet security experts are warning that anti-malware technology is becoming less and less effective at protecting your data and devices, and there's evidence that security software can sometimes even make your computer more vulnerable to security breaches.

This week, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) issued a warning about popular antivirus software made by Symantec, some of it under the Norton brand, after security researchers with Google's Project Zero found critical vulnerabilities.

"These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," wrote Google researcher Tavis Ormandy in a blog post. Symantec said it had verified and addressed the issues in updates that users are advised to install.

It's not the only instance of security software potentially making your computer less safe.

Concordia University professor Mohammad Mannan and his PhD student Xavier de Carné de Carnavalet recently presented research on antivirus and parental control software packages, including popular brands like AVG, Kaspersky and BitDefender, that bypass some security features built into internet browsers to verify whether sites are safe or not in order to be able to scan encrypted connections for potential threats. In theory, they should make up for it with their own content verification systems.
#1100 Cyber spies are still using these old Windows flaws to target their victims
Hackers using only the most basic forms of cyberattack have been able to successfully steal files from high-profile governmental and diplomatic targets.

A cyber-espionage operation has targeted individuals and organisations across the globe, although the vast majority of attacks have focused on Chinese government and diplomatic entities, individuals associated with them and partners of these organisations.

Cybersecurity researchers from Kaspersky Lab's Global Research and Analysis team have been investigating the "aggressive cyber-espionage activity" since February. The researchers suggest that it originates in India and that attacks are undertaken using old exploits, low-budget malware tools and basic social engineering methods.
#1099 Privacy Shield data pact gets European approval
A revised pact governing EU-US data flows has been approved by European governments.

The Privacy Shield agreement replaces the previous accord, called Safe Harbour, that was struck down in October 2015.

Safe Harbour let US companies self-certify that they were doing enough to protect data about Europeans.

The European Court of Justice threw out Safe Harbour after leaks showed data was being spied upon.
#1098 Putin is literally breaking the internet
Earlier today, President Putin ordered the Federal Security Service to produce “encryption keys” capable of decrypting all data on the internet. No one is really sure what this means exactly, but the FSB has two weeks to make them, Meduza reports. That’s just one part of the Russian government’s silly and insanely expensive new plan for internet surveillance, signed into law under the “anti-terrorist” bill today and going into effect on July 20th.

These regulations aren’t just terrifyingly invasive. They’re technically nonsense, and they’re so costly to try to implement that they could put many internet and phone service providers out of business, force noncomplying foreign companies out of Russia and kick a massive dent into Kremlin’s already crumbling infrastructure budget.
#1097 Best practices for managing the security of BYOD smartphones and tablets
The practice of employees using personal phones and tablets at work is already widespread, with the number of such devices forecast to hit one billion by 2018.

The challenge posed to enterprises by the Bring Your Own Device (BYOD) trend is that it forces them to keep corporate data safe on a plethora of different mobile computers that are not directly under IT's control. Worse, each device can potentially be running a different OS, with different apps installed and different vulnerabilities.

How should organisations approach the security of these devices in a way that doesn't interfere with employees' ability to work?
#1096 CryptXXX, Cryptobit ransomware spreading through campaign
Researchers have spotted several types of ransomware, including CryptXXX and a fairly new strain, Cryptobit, being pushed through the same shady series of domains.

The campaign, called Realstatistics, has tainted thousands of sites built on both Joomla! and WordPress content management systems. Researchers with security company Sucuri observed the campaign injecting bogus analytics code, including the url realstatistics[.]info, into the PHP template of infected sites over the past few days.

In a post to the company’s blog on Wednesday, Sucuri CTO and founder Daniel Cid claimed the campaign was redirecting visitors first to the Neutrino Exploit Kit. If the kit was able to successfully exploit either a Flash or PDF reader vulnerability, it left them saddled with the ransomware du jour, CryptXXX.
#1095 Google is experimenting with post-quantum cryptography
Anticipating the development of large quantum computers that could theoretically break the security protocol behind HTTPS, Google announced Thursday that it's experimenting with post-quantum cryptography in Chrome.

The company is adding a post-quantum key-exchange algorithm to a small fraction of connections between desktop Chrome and Google's servers, Google software engineer Matt Braithwaite explained. The post-quantum algorithm will be added on top of the existing, elliptic-curve key-exchange algorithm that's typically used, ensuring the same level of security for users.

The experiment is currently enabled in Chrome Canary, and users can look for it by opening the Security Panel under Developer Tools and looking for "CECPQ1".
#1094 Google fixes high-risk Android vulnerabilities in July update
Google is rolling out patches for Android in the July security bulletin, which contains dozens of security fixes for weaknesses in the Android system, many of which are deemed critical.

With a slight delay due to Independence Day weekend, Google released the latest security advisory on Wednesday for the Android mobile operating system. It affects Google's Nexus product range and any handset or tablet based on Android.

The most severe issue patched is a set of critical flaws in Mediaserver, which could enable remote code execution on a vulnerable device through different methods, including fraudulent emails, phishing campaigns, web browser injections, and MMS when processing media files.

Google has also patched remote code execution flaws discovered within OpenSSL, BoringSSL, and Bluetooth protocols.
#1093 DLink WiFi camera flaw extends to 120 products
A software component that exposed D-Link Wi-Fi cameras to remote attacks is also used in more than 120 other products sold by the company.

Researchers at Senrio, who found the original vulnerability, disclosed today additional details of product vulnerabilities related to the component after collaborating with D-Link. Senrio said the flaw also puts D-Link Connected Home products at risk, including other cameras, routers, models and storage devices.

Patches are yet unavailable despite indications from D-Link to Senrio that they would be ready July 1. A request for comment from D-Link was not returned in time for publication.
#1092 10 million Android phones infected by all-powerful auto-rooting apps
Security experts have documented a disturbing spike in a particularly virulent family of Android malware, with more than 10 million handsets infected and more than 286,000 of them in the US.

Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300 million per month in revenue. The success is largely the result of the malware's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android. The Check Point researchers have dubbed the malware family "HummingBad," but researchers from mobile security company Lookout say HummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had already infected a large number of devices.

For the past five months, Check Point researchers have quietly observed the China-based advertising company behind HummingBad in several ways, including by infiltrating the command and control servers it uses. The researchers say the malware uses the unusually tight control it gains over infected devices to create windfall profits and steadily increase its numbers. HummingBad does this by silently installing promoted apps on infected phones, defrauding legitimate mobile advertisers, and creating fraudulent statistics inside the official Google Play Store.
#1091 CryptXXX ransomware updates ransom note, payment site
For the second time since June 1, the handlers of CryptXXX ransomware have changed their ransom note and Tor payment site. More importantly to those developing detection signatures and administrators, this update no longer makes changes to the file extensions of encrypted files.

“To make it more difficult for administrators, this release no longer uses special extensions for encrypted files,” said researcher Lawrence Abrams on the BleepingComputer website. “Now an encrypted file will retain the same filename that it had before it was encrypted.”

Researcher and SANS Internet Storm Center handler Brad Duncan found the latest update to CryptXXX, in particular to post-infection activity. Duncan found the changes on a Windows machine compromised by the Neutrino Exploit Kit involved in the pseudo-Darkleech campaign.
#1090 Android KeyStore encryption scheme broken, researchers say
The default implementation for KeyStore, the system in Android designed to store user credentials and cryptographic keys, is broken, researchers say.

In a an academic paper published this week, researchers argue that the particular encryption scheme that KeyStore uses fails to protect the integrity of keys and could be exploited to allow an attacker to modify stored keys through a forgery attack.

KeyStore, which performs key-specific actions through the OpenSSL library, allows Android apps to store and generate their own cryptographic keys. By storing keys in a container, KeyStore makes it more difficult to remove them from the device.

Mohamed Sabt and Jacques Traoré, two researchers with the French telecom Orange Labs, claim the scheme associated with the system is “non-provably secure,” and could have “severe consequences."
#1089 Symantec: Latest Intelligence for June 2016
The Latest Intelligence page has been refreshed through June 2016, providing the most up-to-date analysis of cybersecurity threats, trends, and insights concerning malware, spam, and other potentially harmful business risks. Here are some key takeaways from this latest batch of intelligence.

This month the Angler toolkit dropped nearly 30 percentage points in June, making up 22.7 percent of all toolkit activity. The toolkit hasn't disappeared completely, but by the end of June activity was 16 times lower than its peak in May.

Meanwhile the Neutrino toolkit increased almost 10 percentage points in June. This toolkit was particularly active in the later part of the month, around the same time Angler saw its deepest decline. This decline in Angler activity follows the disappearance of the Nuclear and Spartan toolkits from our top five list over the past two months, along with a lull in activity from a number of threat groups.

Manual Sharing continues to dominate social media scams, increasing more than 20 percentage points. Fake Offers decreased in June, down from 25.68 percent in May to 12.17 percent in June.
#1088 New OSX/Keydnap malware is hungry for credentials
ESET analyzes multiple samples targeting OS X every day. Those samples are usually potentially unwanted applications that inject advertisements into browser displays while the victim is browsing the web.

For the last few weeks, we have been investigating an interesting case where the purpose of the malware is to steal the content of the keychain and maintain a permanent backdoor. This article will describe the components of this threat and what we know about it so far.

It is still not clear how victims are initially exposed to OSX/Keydnap. It could be through attachments in spam messages, downloads from untrusted websites or something else.

What we know is that a downloader component is distributed in a .zip file. The archive file contains a Mach-O executable file with an extension that looks benign, such as .txt or .jpg. However, the file extension actually contains a space character at the end, which means double-clicking the file in Finder will launch it in Terminal and not Preview or TextEdit.
#1087 After hiatus, in-the-wild Mac backdoors are suddenly back
After taking a hiatus, Mac malware is suddenly back, with three newly discovered strains that have access to Web cameras, password keychains, and pretty much every other resource on an infected machine.

The first one, dubbed Eleanor by researchers at antivirus provider Bitdefender, is hidden inside EasyDoc Converter, a malicious app that is, or at least was, available on a software download site called MacUpdate. When double clicked, EasyDoc silently installs a backdoor that provides remote access to a Mac's file system and webcam, making it possible for attackers to download files, install new apps, and watch users who are in front of an infected machine. Eleanor communicates with control servers over the Tor anonymity service to prevent them from being taken down or being used to identify the attackers.

"This type of malware is particularly dangerous as it's hard to detect and offers the attacker full control of the compromised system," Tiberius Axinte, technical leader of the Bitdefender Antimalware Lab, said in a blog post published Wednesday. "For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices."
#1086 European Union’s first cybersecurity law gets green light
The European Union approved its first rules on cybersecurity, forcing businesses to strengthen defenses and companies such as Google Inc. and Inc. to report attacks.
#1085 Criminals winning 'cyber arms race' - UK National Crime Agency
Businesses and law enforcement agencies are losing the "cyber arms race" with online criminals, the UK's National Crime Agency has warned.

The technical capabilities of criminal gangs are outpacing the UK's ability to deal with their threat, the NCA added.

It said there were 2.46 million "cyber incidents" last year, including 700,000 frauds - with the biggest threat coming from "a few hundred" criminals.

The government is to spend £1.9bn over the next five years on cyber-defences.

The NCA's annual assessment of cybercrime found a key threat to the UK comes from international gangs.

Some are so well-developed they run call centres and employ translators.
#1084 Android security bulletin features two patch levels
The frail world of the Android ecosystem has taken some hits in the past week with the disclosure of a full disk encryption bypass vulnerability and the arrival of the HummingBad malware.

The FDE bypass highlighted the need to keep Android patch levels current, but as Duo Labs statistics point out, that remains a struggle for Android users who must rely on carriers and handset makers to integrate and distribute Google updates.

The latest Android Security Bulletin, released today, provides little relief. It’s a sizable update—late by nearly a week because of the July 4 U.S. holiday—but contains fixes for problems in a host of familiar areas including Mediaserver and a number of Qualcomm, MediaTek and NVIDIA components that have been featured in almost every bulletin since the monthly releases started last August.
#1083 EasyDoc malware adds Tor backdoor to Macs for botnet control
Security firm Bitdefender has issued an alert about a malicious app that hands over control of Macs to criminals via Tor.

The software, called EasyDoc, is supposed to be a file converter but doesn't do its advertised functions. Instead it drops complex malware onto the system that subverts the security of the system, allowing it to be used as part of a botnet or to spy on the owner.

"This type of malware is particularly dangerous as it's hard to detect and offers the attacker full control of the compromised system," said Tiberius Axinte, Technical Leader, Bitdefender Antimalware Lab.

"For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless."
#1082 Adwind RAT resurfaces, targeting Danish companies
The remote access Trojan Adwind has resurfaced and as of last weekend, is being used in spam emails targeting Danish companies, researchers said.

In emails purporting to be order requests coming from either spoofed or fake return addresses, attackers are spreading malicious .jar, or Java archive files. Assuming a user clicks through and opens the file, Adwind’s code is run, and the machine is pulled into a botnet.

According to researchers with Romania-based Heimdal Security, who described the RAT in a blog post on Monday, this iteration of Adwind communicates with a server that’s been used in other RAT campaigns that use dynamic DNS services. Command and control servers used by the RAT have been down and up over the course of its existence. Most of them rely on Dynamic DNS servers and are not real domain registrations.
#1081 An increase of sophisticated phishing attacks in Sweden
Whilst sitting and working in the South African office I receive an email from my Swedish ISP. I quickly look at it and there is something that doesn’t add up. The email states that I need to pay my invoice, but I never receive electronic invoices from this company.

Like everyone else I receive a lot of spam and phishing emails, but this one is different from any other phishing email I have ever seen before. To be honest, it’s probably the most sophisticated phishing campaign that I’ve ever encountered. It’s not the technical setup that makes it sophisticated it is a very simple factor that has been added to the email that just makes the email look very authentic.

The phishing campaign has the usual mistakes, the sender of the email is not related to the company, and the domains used in the links don’t point to a domain that is registered by the ISP.
#1080 12 security suites for Mac OS X put to the test
While Mac OS X does already utilize its own internal system protection mechanisms, those wanting to be absolutely sure should ramp up their protection with good security software. The Magdeburg-based institute, AV-TEST, examined 12 of the latest applications, whereby some of them did not perform well.
#1079 Second man pleads guilty of hacking entertainment industry celebrities
A second man has pleaded guilty to using a phishing scheme to get access to private and sensitive videos and photographs of people in the entertainment industry in Los Angeles.

Edward Majerczyk, 28, a resident of Chicago and Orland Park, Illinois, has admitted in a plea agreement entered in the U.S. District Court for the Central District of California that between Nov. 23, 2013 through August 2014, he had engaged in a phishing scheme to obtain usernames and passwords from his victims, according to the U.S. Attorney’s Office for the Central District of California.
#1078 Encryption bypass vulnerability impacts half of Android devices
A flaw in chipmaker Qualcomm’s mobile processor, used in 60 percent of Android mobiles, allows attackers to crack full disk encryption on the device. Only 10 percent of Android devices running Qualcomm processors are not vulnerable to this type of attack.

Researchers at Duo Labs said the vulnerability is tied to Android’s problem-plagued mediaserver component coupled with a security hole in Qualcomm’s Secure Execution Environment (QSEE). Together, these vulnerabilities could allow someone with physical access to the phone to bypass the full disk encryption (FDE).

The vulnerability, discovered by Gal Beniamini last week, builds off of earlier research by Beniamini and Duo Labs published in May. That’s when both highlighted a previously unpatched vulnerability (CVE-2016-2431) in Google’s mediaserver component. Google has since patched that vulnerability, but a large percentage of Android phones have yet to receive that update.
#1077 TPLINK loses control of two device configuration domains
Security researcher Amitay Dan warns that, a domain through which TP-LINK router owners can configure their devices, is no longer owned by the company, and that this fact could be misused by malware peddlers.
#1076 MRI software bugs could upend years of research
A whole pile of “this is how your brain looks like” MRI-based science has been potentially invalidated because someone finally got around to checking the data.

The problem is simple: to get from a high-resolution magnetic resonance imaging scan of the brain to a scientific conclusion, the brain is divided into tiny “voxels”. Software, rather than humans, then scans the voxels looking for clusters.
#1075 Scope of ThinkPwn UEFI zero-day expands
A serious hardware vulnerability, thought to be confined to UEFI drivers in Lenovo and HP laptops, has also been found in firmware running on motherboards sold by Gigabyte.

The flaw was publicly disclosed last week by researcher Dmytro Oleksiuk. No patches are yet available.

Oleksiuk said the flaw, which he calls ThinkPwn, is in the SystemSmmRuntimeRt UEFI driver, which he found on firmware in Lenovo ThinkPad laptops.

“Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the newest one is T450s (with latest firmware versions available at this moment),” Oleksiuk wrote on a Github entry. Oleksiuk published proof-of-concept exploit code for the vulnerability last week along with his disclosure.
#1074 Android Nougat prevents ransomware from resetting device passwords
The upcoming Android version, known as Android Nougat, will introduce a condition so that the invocation of the resetPassword API can only be used to set the password and not to reset the password.

This development will be effective in ensuring that malware cannot reset the lockscreen password, as the change is strictly enforced and there is no backward compatibility escape route for the threat. Backward compatibility would have allowed malware to reset the lockscreen password even on newer Android versions. With this change, there is no way for the malware to reset the lockscreen password on Android Nougat.
#1073 This Android malware has infected 85 million devices and makes its creators $300,000 a month
A strain of of Android malware has infected 85 million victims across the globe, generating at least $300,000 every month for the gang behind it, thanks to millions of pop-up adverts and app downloads.

On top of that, experts have warned that the spread of the malicious HummingBad software could be used to do even worse damage by stealing victims' data.

The mobile malware has been analysed by security researchers at Check Point after it was found on Android devices belonging to two employees at "a large financial institution". In-depth findings on the malware are laid out in the company's 'From HummingBad to Worse' report. The gang behind the malware -- thought to be located in China -- are estimated to generate around $1m every quarter from fraudulent ad revenue and the installation of bogus apps.
#1072 Identity fraud up by 57% as thieves target social media
The number of victims of identity theft rose by 57% last year, figures from fraud prevention service Cifas suggest.

The data, taken from 261 companies in the UK, suggests fraudsters are increasingly getting people's personal information from social media sites.

Cifas said Facebook, Twitter and LinkedIn had become a "hunting ground" for identity thieves.

It said there were more than 148,000 victims in the UK in 2015 compared with 94,500 in 2014.

A small percentage of cases involved fictitious identities but most fraudsters assumed the identity of a real person after accessing their name, date of birth, address and bank details. More than 85% of the frauds were carried out online.
#1071 Tor Privacy settings coming to Firefox
Mozilla works on uplifting privacy settings of the Tor browser project to the Firefox web browser to provide privacy conscious users with additional privacy-related options.

While the Tor browser is based on Firefox ESR, it is modified with additional privacy and security settings to protect users of the browser while using the program.

Considering that Tor browser is used by some in critical situations, whistleblowing, publishing news or communication, it is only natural that a stronger focus on privacy and security is necessary.

Mozilla acknowledges these modifications, and plans to integrate some of them in Firefox natively. In fact, the company has already begun to integrate some in Firefox, and plans to integrate others in the future.
#1070 Satana ransomware – threat coming soon?
Petya ransomware is quickly becoming a household name and in typical cyber-criminal fashion, copycat families are starting to emerge.

In this post, we have the benefit of analyzing “malware-in-development” and can observe its growth over the coming weeks. The ransomware is called Satana (devil/satan in Italian) and similar to the Petya and Mischa bundle, Satana works in two modes.

The first mode behaves like Petya, a dropper (that is a typical PE file) writes to the beginning of the infected disk a low-level module which is a bootloader with a tiny custom kernel.

The second mode behaves like typical ransomware and encrypts files one by one (just like Mischa).

Contrary to the Petya and Mischa bundle, these modes are not used as alternatives, but are both utilized, one after the other, to infect the system.
#1069 Don’t pay the Ransom! AVG releases six free decryption tools to retrieve your files
AVG Virus Lab is dealing a blow to the bad guys. It is pleased to announce the release of six free decryption tools for recent ransomware strains. That means users can take back what’s theirs without paying a cent in ransom.
#1068 How to detect most malicious macros without an antivirus
mraptor is a simple tool designed to detect malicious VBA macros in MS Office files, based on characteristics of the VBA code. This article explains how it works, and how it can be used in practice.
#1067 MIT's Swarm chip architecture boosts multi-core CPUs
For nearly 10 years, computer processors have been getting faster by using multiple cores rather than raising their individual speeds. This measure makes our PCs and smartphones more power-efficient, but also makes it much trickier to write programs that take full advantage of their hardware. Swarm, a new chip design developed at MIT, could now come to the rescue and unleash the full power of parallel processing for up to 75-fold speedups, while requiring programmers to write a fraction of the code.

Developed by Prof. Daniel Sanchez and team, Swarm is a 64-core chip that includes specialized circuitry for both executing and prioritizing tasks in a simple and efficient manner, taking the onus off software developers.

Writing software for a multi-core chip is a lot like coordinating a complex team project: not all tasks can be delegated, and the ones that can must be carefully split among team members. With software, this sort of planning can be complicated, time-consuming, and add substantial overheads that end up slowing the software's execution. For this reason, parallel programming is usually convenient only for large tasks that number thousands of instructions.
#1066 Lenovo scrambling to get a fix for BIOS vulnerability
Lenovo, and possibly other PC vendors, is exposed to a UEFI bug that can be exploited to disable firmware write-protection.

If the claims made by Dmytro Oleksiuk at Github are correct, an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise.”

The reason Oleksiuk believes other vendors are also vulnerable is that the buggy code is inherited from Intel. He writes that the SystemSmmRuntimeRt was copied from Intel reference code.
#1065 A Chinese ad firm is using malware to get more clicks
Advertising agencies go to great lengths to spread their clients’ messages. Now, researchers have uncovered a new approach: malware.

This month, cybersecurity company Check Point reports that a Chinese group called Yingmob has distributed mobile device malware on a massive scale, apparently alongside a legitimate advertising analytics business.

Listed as based in Beijing's Chaoyang District, Yingmob, a subsidiary of MIG Unmobi Technology Inc., markets itself like any other advertising firm. Its professional-looking website claims its easy-to-deploy ads support text, pictures, and video, and don't affect the user experience. It offers pop-up, sidebar, and in-app adverts.

But Check Point's report claims that part of the company—the “Development Team for Overseas Platform,” which employs a staff of 25 people—is responsible for malware it has dubbed “HummingBad.”
#1064 Espionage toolkit targeting central and eastern Europe uncovered
Over the course of the last year, ESET has detected and analyzed several instances of malware used for targeted espionage – dubbed SBDH toolkit. Using powerful filters, various methods of communication with its operators and an interesting persistence technique, it aims to exfiltrate selected files from governmental and public institutions, which are mostly focused on economic growth and cooperation in Central and Eastern Europe. ESET’s SBDH findings were presented during the Copenhagen Cybercrime Conference 2016 by researchers Tomáš Gardoň and Robert Lipovský.

This toolkit – actually only its initial part – was spreading as an executable with a double extension attached to a phishing email (counting on Windows’ default behavior of hiding an extension). To further increase its chances of being run by the receiver, it uses legitimate looking icons of several Microsoft applications or a Word document.
#1063 Google Project Zero: A year of Windows kernel font fuzzing #2: the techniques
As a software testing technique, fuzzing has a very low entry bar and may be used to achieve satisfying results with little expertise or invested effort. However, it is still not a silver bullet in vulnerability hunting, and there are many stages which may require careful configuration or individual tailoring for a specific target or file format, especially for non-trivial targets such as closed-source operating system kernels. In this post, we have demonstrated how we attempted to enhance the process of Windows kernel font fuzzing to the maximum extent within the available time resources. We especially put a lot of energy into mutating, generating and exercising the inputs in a decently effective way, and into scaling the fuzzing process to thousands of machines, through the development of a dedicated Bochs instrumentation and aggressive optimization of the operating system. The outcome of the work, in the form of 16 high-severity vulnerabilities, has shown that the techniques were effective and improved upon previous work.

Considering how much potential fuzzing has and how broad the subject is, we look forward to seeing it grow further and be used to accomplish even more impressive effects, while ceasing to be perceived as a voodoo technique which "just works" regardless of the technical details behind it. In the upcoming weeks and months, we are also planning to share more of our experience and thoughts in this field.
#1062 How China took center stage in Bitcoin’s civil war
A delegation of American executives flew to Beijing in April for a secret meeting just blocks from Tiananmen Square. They had come to court the new kingmakers in one of the strangest experiments in money the world has seen: the virtual currency known as Bitcoin.

Against long odds, and despite an abstruse structure, in which supercomputers “mine” the currency via mathematical formulas, Bitcoin has become a multibillion-dollar industry. It has attracted major investments from Silicon Valley and a significant following on Wall Street.

Yet Bitcoin, which is both a new kind of digital money and an unusual financial network, is having something of an identity crisis. Like so many technologies before it, the virtual currency is coming up against the inevitable push and pull between commercial growth and the purity of its original ambitions.

In its early conception, Bitcoin was to exist beyond the control of any single government or country. It would be based everywhere and nowhere.

Yet despite the talk of a borderless currency, a handful of Chinese companies have effectively assumed majority control of the Bitcoin network. They have done so through canny investments and vast farms of computer servers dispersed around the country. The American delegation flew to Beijing because that was where much of the Bitcoin power was concentrated.
#1061 UN council: Seriously, nations, stop switching off the damn internet
The United Nations officially condemned the practice of countries shutting down access to the internet at a meeting of the Human Rights Council on Friday.

A resolution [PDF] entitled The promotion, protection and enjoyment of human rights on the Internet effectively extends human rights held offline to the internet. It was passed by consensus, but only after a determined effort by a number of countries, including China and Russia, to pull out key parts of the text.

In particular, a number of states – notable by their authoritarian stances – were opposed to the resolution's focus on the need for an accessible and open internet, and its condemnation of violations against people for expressing their views online. A vote planned for Thursday was delayed to Friday after the issue became heated.

Four amendments pulling out that language were tabled, but none were adopted after an impassioned debate.
#1060 Spy tech that reads your mind
Leaks, theft, and sabotage by employees have become a major cybersecurity problem. One company says it can spot “insider threats” before they happen—by reading all your workers’ email.

On any given morning at a big national bank or a Silicon Valley software giant or a government agency, a security official could start her day by asking a software program for a report on her organization’s staff. “Okay, as of last night, who were the people who were most disgruntled?” she could ask. “Show me the top 10.”

She would have that capability, says Eric Shaw, a psychologist and longtime consultant to the intelligence community, if she used a software tool he developed for Stroz Friedberg, a cybersecurity firm. The software combs through an organization’s emails and text messages—millions a day, the company says—looking for high usage of words and phrases that language psychologists associate with certain mental states and personality profiles. Ask for a list of staffers who score high for discontent, Shaw says, “and you could look at their names. Or you could look at the top emails themselves.”

Many companies already have the ability to run keyword searches of employees’ emails, looking for worrisome words and phrases like embezzle and I loathe this job. But the Stroz Friedberg software, called Scout, aspires to go a giant step further, detecting indirectly, through unconscious syntactic and grammatical clues, workers’ anger, financial or personal stress, and other tip-offs that an employee might be about to lose it.
#1059 Brexit no threat to UK, say cyber-security professionals
The UK’s ability to protect itself against cyber-attacks won’t change if the country opts to leave the European Union, a survey of cyber-security professionals suggests.

The study, conducted by cyber-security firm Tripwire, involved 278 information security professionals who attended the InfoSecurity Europe conference in London last week.

64 per cent of the respondents said that choosing to leave the European Union in the June 23 referendum won’t affect the UK’s ability to protect itself from cyber-attacks. The info-security professionals also suggested that in case of Brexit, the UK could reconsider national implementation of several recent EU data privacy and cyber-security regulations.
#1058 How to crack Android full disk encryption on Qualcomm devices
The heated battle between Apple and the FBI provoked a lot of talk about Encryption – the technology that has been used to keep all your bits and bytes as safe as possible.

We can not say a lot about Apple's users, but Android users are at severe risk when it comes to encryption of their personal and sensitive data.

Android's full-disk encryption can be cracked much more easily than expected with brute force attack and some patience, affecting potentially hundreds of millions of mobile devices.

There may not be a full fix available for current Android handsets in the market.

Security researcher Gal Beniamini has discovered issues (CVE-2015-6639 and CVE-2016-2431) in how Android devices handle its full disk encryption, making it easier for attackers to gain access to the user's sensitive data.

Beniamini also published a detailed step-by-step guide this week on how one can break down the encryption protections on Android smartphones powered by Qualcomm Snapdragon processors.
#1057 Locky variant Zepto debuts with big spam push
Ransomware called Zepto is raising concerns with security experts because of its close ties to the more mature and prolific Locky ransomware. Zepto was spotted about a month ago, but a recent wave of spam containing Zepto-laced attachments detected on June 27 is heightening fears of widespread infections.

“We are watching Zepto very carefully. It’s closely tied to Locky, sharing many of the same attributes,” said Craig Williams, senior technical leader and global outreach manager at Cisco Talos. “There is still a lot to learn about Zepto. As far as we can tell, it’s either a new variant of Locky or an entirely new ransomware with many copycat Locky features,” he said.

Cisco Talos, which published its findings on Zepto Thursday, said 137,731 spam messages have been found this week that contain the Zepto ransomware malicious attachment. The Zepto name comes from the .zepto suffix used as the extension for encrypted files.
#1056 Siemens patches password reconstruction vulnerability in SICAM PAS
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cautioned users who work in electrical substations to update certain builds of energy automation software this week.

ICS-CERT claims two vulnerabilities exist in the Siemens SICAM Power Automation System, or PAS, that could enable an attacker to reconstruct passwords and obtain sensitive information under certain conditions.

Siemens, the German industrial automation technology company that manufactures the software, released an update to address the first vulnerability this week. Users are being encouraged to update to version 8.07 of SICAM PAS to mitigate that issue.
#1055 Mozilla releases first nightly build of Servo, its next-generation browser engine
As promised, Mozilla has released the first Nightly build of Servo, its new browser engine. This is the first tech demo of Servo, which Jack Moffitt, Servo project lead at Mozilla, described to us in March as “a next-generation browser engine focused on performance and robustness.”

Packages for macOS and Linux are available to download from here: Servo Developer Preview Downloads. Mozilla promises that Windows and Android packages will be available “soon.” And because this is Mozilla, you can check out all the code yourself over on GitHub.

To make the Servo engine easy to interact with, Mozilla has bundled an HTML-based browser UI. It is not yet fully web compatible, but when you first run Servo, you’ll see a new tab page showcasing tech demos and sites that Servo renders well.
#1054 You can now browse through 427 million stolen MySpace passwords
An anonymous hacker managed to obtain an enormous number of user credentials in June 2013 from fallen social networking giant MySpace — some 427 million passwords, belonging to approx. 360 million users. In May 2016, a person started selling that database of passwords on the dark web. Now, the entire database is available online for free.
#1053 The first big Internet of Things security breach is just around the corner
The only reason these flaws aren't being exploited right now is that hacker currently have little interest, even though these devices are "trivial" to attack, he said. But don't get too comfortable.

"Very soon, we're likely to see a big breach. It's quite probable that some really shiny, cool, new product is going to come along in the next year which will see massive adoption by consumers and enterprises. When that happens, I think attacker interest will rise," he continued, adding "the speed of that market means we're building up to that moment."

Lyne isn't the only one who believes a big IoT security breach is coming: cybersecurity expert Bruce Schneier also fears that one is coming sooner rather than later - and that connected cars could be a particularly dangerous target.

"When you start thinking about a car, you quickly realise the integrity and vulnerability threats are much worse than confidentiality threats and there's real risks to life and property here," he said, speaking at the recent InfoSecurity Europe conference in London.
#1052 Brazilians migrate from WhatsApp to Telegram, cybercriminals follow suit
Staple product offerings like online banking Trojans and tutorials for aspiring cybercriminals are still being peddled in the Brazilian underground market. While old crimeware remain the same, we observed that these young and brazen cybercriminals (two words that aptly describe the Brazilian cybercriminals of today), have switched communication platforms. After the temporary shutdown on WhatsApp last December, cybercriminals changed messaging tools to avoid unwanted attention from law enforcement agencies. Although this shift may be coincidental, the secure messaging features of Telegram, a cloud-based messenger similar to WhatsApp, may make it ripe for abuse.

Brazilian courts required WhatsApp to provide information in relation to criminal investigations at the end of 2015. A court order was issued to telecom providers to block access to WhatsApp, due to failure to abide, forcing users (including cybercriminals) to look for new means to communicate with others. Prior to enforcing the order, WhatsApp had 93 million users in Brazil. This has since dwindled when users moved to Telegram.
#1051 Massachusetts General Hospital confirms third-party breach
A breach at Massachusetts General Hospital has potentially compromised the information of roughly 4,300 dental patients, the hospital warned Wednesday.

MGH was quick to point out that the data leaked wasn’t stored or maintained on its systems but those of a third-party vendor that assists the hospital in managing dental patients at several practices, including the hospital.

The compromised database belongs to Patterson Dental Supply Inc., a medical supplies company headquartered in St. Paul, Minn. An unauthorized individual accessed electronic files, some which included data on MGH dental patients, on PDSI’s systems back in February, the statement reads.
#1050 Netherlands gets first nationwide 'Internet of Things'
Connecting everyday objects to networks, allowing them to send and receive data, is widely seen as the next major evolution of the Internet and one that may transform how many businesses operate and people live.

The rollout of a low data rate (LoRa) mobile communications network is critical to connect objects as many may not be able to link up with home or work Wi-Fi networks to gain Internet access.

"As from today the KPN LoRa network is available throughout The Netherlands," KPN said in a statement.

"This makes The Netherlands the first country in the world to have a nationwide LoRa network for Internet of Things (IoT) application."
#1049 LizardStresser IoT botnet part of 400Gbps DDoS attacks
LizardStresser, a distributed denial of service botnet, has found new life leveraging hundreds of internet-based webcams in attacks against Brazilian-based banks, government agencies as well as a handful of U.S.-based gaming companies.

Researchers at the Arbor’s Security Engineering and Response Team (ASERT) say publicly released source code of the LizardStresser botnet in 2015, by the Lizard Squad DDoS group, is behind the attacks. In a report released this week, ASERT says an unknown group of cybercriminals are running this latest iteration of the LizardStresser botnet via approximately 100 command-and-control servers, manipulating about 1,300 webcams and launching attacks as large as 400Gbps.

It’s unclear whose webcams are being hijacked in the attacks, but researchers say the cams that are part of this LizardStresser botnet are running either the x86, ARM or MIPS CPU architecture – all commonly used on embedded IoT devices.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12